Meraki Community

Thank you.  I have already done that and waiting on a response from support.  I posted the question since so many people have had the same exact issue I hoped someone would have a resolution.  Downgrading the firmware isn't an available option.  The MX95's came with v17 firmware.  Firmware v16.9 is the minimum firmware that can be run on the appliance.

it might be YOUR only option, but Meraki might be able to downgrade it further on their end.

Ok, the L3 switch was not mentioned. But if it was solved is the most important.

Yep.  A Meraki Layer 3 device isn't an issue.  But a non-Meraki Layer 3 device downstream from the MX95 and using the default Client Tracking of MAC Address breaks everything.  If you are going to use non-Meraki Layer 3 devices in your network, they have to be in their own separate network and use IP Address.  Even though my entire environment is Cisco, it isn't compatible with Cisco Meraki.  Non-Meraki Layer 3 devices have to be in their own Network with Client Tracking set to IP Address.  Meraki devices go in their own separate Network with Client Tracking set to MAC Address.

I believe you're the first person in this forum experiencing something like this...

No.  The Forum is full of several people experiencing the same issue with other MX versions and no resolution has been provided.  Just do a quick search for TLS “Client Hello” Failure.  This is WELL known issue with Meraki MX95 security appliances.  The Cisco TAC engineers immediately said this was the issue before we even started doing PCAP's and other investigation of the issue.  This is a well known issue with Cisco Meraki support.  You cannot mix non-Meraki Layer 3 devices with MX security appliances in the same Network configuration while using MAC Address Client Tracking.

Isn't the Client-Tracking Options only for reporting usage ? I don't see how it impacts flows. Is this documented somewhere ?

Nope.  May have been in previous firmware releases.  But, now it is a core component and how Meraki moves TCP packets.  Another component of what it does id report usage, but it has gone far beyond that.  Not sure why Meraki chose to use this method of data packets.  I spent an entire afternoon on a call with an engineer from Cisco TAC and that was the first thing he said.  Issue was related to Client Tracking using MAC addresses and non-Meraki Layer 3 devices behind it.  Layer 2 non-Meraki devices aren't an issue.  Just Layer 3.

If you go in to the dashboard an look under Security & SD-WAN -> Addressing & VLANs and look at the heading for Client Tracking.  It shows the default is by MAC Address.  If you read through the description, there is a hint that this might cause issues with non-Meraki Layer 3 devices.  The last sentence says, "Clients behind a layer 3 routing device downstream from this security appliance will not be identified."  So, usage of those clients won't be able to be captured, but it also breaks TCP.

Could you provide us with the PCAPs that let you conclude that tracking breaks TCP? 

Unfortunately, I no longer have them and recreating that environment to do another PCAP is not an option.  I do have a screenshot from that time period.  Also, this wasn't a "conclusion" hunch or guess on my part.  When I saw the behavior that was happening with TCP, I started a support call with Cisco TAC.  The engineer who assisted said that what was happening was being caused by Client Tracking.

Again, it isn't Client Tracking specifically.  It is the Meraki implementation while using MAC Address for Client Tracking and having non-Meraki Later 3 devices behind the MX95.  If you are going to use the default Meraki Client Tracking of MAC Address and you have non-Meraki Layer 3 devices, you MUST use sperate Networks.  Meraki MX security appliances cannot be used in the same Network configuration as non-Meraki Layer 3 devices while using MAC Address Client Tracking.