New MX-250 and can't ping configured Static IP <insert eyeroll here>

EBow
Comes here often

New MX-250 and can't ping configured Static IP <insert eyeroll here>

So we got a new MX-250 shipped to a data center. I sent the install guy the Meraki document on how to configure a static IP in the device. I can't ping the MX-250.  I can see a MAC addresses on the WAN uplinks. So L1 and L2 is working. I am using the existing address of a working Meraki. I shut interfaces and clear the ARP entries for that address prior to bringing this one online. So there are no duplicate IP addressing going on. It simply isn't responding to the configured IP. Anyone know if there is a step missing in the documentation. Steps 1-5 below are completed and still no L3 connectivity or response.

 

Connecting to WAN 

All Meraki MX devices must have an IP address. This section describes how to configure your local area network before you deploy it. A local management web service, running on the appliance, is accessed through a browser running on a client PC. This web service is used for configuring and monitoring basic ISP/WAN connectivity.

Setting up a Static IP Address 

To ensure that the client PC is redirected to the local web service in the following step, you must disable all other network services (ex: wi-fi) on your client machine.

Do the following to configure basic connectivity and other networking parameters:

  1. Using a client machine such as a laptop, connect to the management port of the MX. 
  2. Using a browser on the client machine, access the appliance's built-in web service by browsing to http://setup.meraki.com. (You do not have to be connected to the Internet to reach this address)
  3. Click Uplink configuration under the Local status tab. The default credentials use the device serial number as the username, with a blank password field.
  4. Choose Static for the IP Assignment option.
  5. Enter the IP address, subnet mask, default gateway IP and DNS server information.

 

12 Replies 12
ww
Kind of a big deal
Kind of a big deal

You  cant  ping  it unless  you allow this  in the firewall  settings

EBow
Comes here often

This is a new install, since when do you have to configure rules to allow pings? I say that because for our pilot we configured a MX-65W and it didn't require rules to allow us to ping the configured WAN uplink interface.

EBow
Comes here often

Let me be clear are you saying I need to configure rules on the MX-250 to allow ping replies? That would imply it was attached to the cloud and operational. Which it isn't. I am on the local web interface to the device. We configured an IP and it doesn't respond to the configured ip or try to reach out to the cloud.  

 

EBow_0-1585655409975.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

What does the connection page say about why it can't talk to the cloud?

BrechtSchamp
Kind of a big deal

Should be allowed by default. But check it anyway:

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Denying_Inbound_ICMP_on_the_MX

 

Should say "Any" by default:

image.png

 

Edit: Sorry, I only saw your post mentioning that it doesn't have cloud connectivity after I posted.

EBow
Comes here often

This device has never reached the cloud because the IP is not working. 

BrechtSchamp
Kind of a big deal

What does the connection tab say about internet connectivity and cloud connectivity?

CCIE-Adam
Getting noticed

What is your upstream device from the MX250 to the Internet?  Can you ping the MX from 10.255.20.1?  I have banged my head against the network cabinet many of nights trying to get things like that working.  Clearing arp cache, clearing mac addresses, disabling and enabling ports did nothing.  The solution, reboot the upstream device.  I make it habit to do that if I'm replacing a device that will have the same IP address as a previous device.  

EBow
Comes here often

It is the weirdest thing.  We changed the IP to a non production address to test then setup a packet capture on the our firewall. After a few minutes we could see the MX-250 arp entry on the firewall. Still, we couldn't ping it. We could see it reaching out to 8.8.8.8 over ICMP and a few other addresses via UDP. Then 20 to 30 minutes later poof it shows up in our Meraki dashboard and then we could ping it from the firewall. Why we couldn't ping it from the start is annoying. That is the most basic connectivity test. Why did we have to wait for it to check in and do what ever it was doing is beyond me. Especially when non technical people are deploying these in a data center and you are going behind them and verifying the connectivity and get a false negative because you didn't wait long enough for something to happen.  

Owen
Getting noticed

This is all part of the Meraki "Magic" 🙂

Wait until you come across the MX250 template bug.

 

Sometimes settings just don't work on MX. Yesterday for me it was SNMPv2 just would not poll for one site, change the community string to a temporary value then back to the original and all of a sudden SNMP polling is working again.

BrechtSchamp
Kind of a big deal

Good to hear that it's solved.

 

Sounds to me like some caching problem. Even though you cleared the ARP cache and shut the interface first. Maybe the endpoint cache?

PhilipDAth
Kind of a big deal
Kind of a big deal

>Then 20 to 30 minutes later poof it shows up in our Meraki dashboard and then we could ping it from the firewall

 

This sounds to me like it was doing an initial firmware upgrade.

Get notified when there are additional replies to this discussion.