Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki MX misclassifying traffic

Solved
Sarv
Getting noticed
‎Jun 12 2023 12:10 PM
‎Jun 12 2023 12:10 PM

Meraki MX misclassifying traffic

 

We have an MX at a customer site that identifying DNS traffic as Pandora and is blocking based on the Layer7 Video/Music/Pandora Deny Rule. Anyone else see this issue? I had reported this to Meraki Support at least 6 months ago and again today with no resolution. Here is a snipet from the event log (192.168.1.50 is the internal DNS server for the customer)

 


Source IP: 172.16.1.13, Source Port: 29590, Destination IP: 192.168.1.50 « hide

Destination Port 53

Protocol UDP

Block Type DNS

NBAR ID 1451

Classification Pandora Internet Radio

Layer 7 firewall rule Deny

 

 

Labels:
0 Kudos
Subscribe
1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 4:54 PM
‎Jun 13 2023 4:54 PM

This may actually be a correct classification.

DNS lookups that match a given NBAR rule will get blocked.

"NOTE: DNS traffic (TCP/UDP Port 53) may also get blocked by Layer 7 rules if it contains a query for a domain the rule in question covers.

For example, you may see a block on UDP port 53 classified as "abc.com" if the "All News" rule is configured on Dashboard, and a user device sends a DNS query for said domain."

Mapping Layer 7 Firewall Rules to NBAR IDs - Cisco Meraki

View solution in original post

Subscribe
3 Replies 3
Sarv
Getting noticed
‎Jun 12 2023 2:33 PM
‎Jun 12 2023 2:33 PM

I received another response from Meraki support on this. Same thing as before. Anyone from Meraki look at issues in this forum?

 

Response from Meraki: they are aware of this on-going issue and have attached my case/ticket to the parent case.

 

As I stated I opened a case for this at least 6 months ago with the same type of response.

 

I can only say that I am disappointed that Cisco/Meraki does not take these type of issues seriously or they would have had a fix by now.

0 Kudos
Subscribe
Brash
Kind of a big deal
Kind of a big deal
‎Jun 13 2023 4:54 PM
‎Jun 13 2023 4:54 PM

This may actually be a correct classification.

DNS lookups that match a given NBAR rule will get blocked.

"NOTE: DNS traffic (TCP/UDP Port 53) may also get blocked by Layer 7 rules if it contains a query for a domain the rule in question covers.

For example, you may see a block on UDP port 53 classified as "abc.com" if the "All News" rule is configured on Dashboard, and a user device sends a DNS query for said domain."

Mapping Layer 7 Firewall Rules to NBAR IDs - Cisco Meraki

Subscribe
In response to Brash
Sarv
Getting noticed
‎Jun 13 2023 5:24 PM
‎Jun 13 2023 5:24 PM

Thanks Brash. That makes sense.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.