Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site-to-Site VPN and Firmware MX16.16

Solved
LucL
Here to help
‎Mar 11 2022 3:44 AM
‎Mar 11 2022 3:44 AM

Site-to-Site VPN and Firmware MX16.16

Hello community,

 

We have 2 sites (A and B) separated by 15 km and we have two MX68, one on each site.

We use the VPN site-to-site for connect the IT between the both sites.

 

I have upgraded the firmware on the both MX68 from MX 15.44 to MW16.16.

 

But I had to make a rollback because one application (the ERP) lose some packet.

After the rollack, the ERP is working well again.

 

The configuration is :

The ERP server is based on the site A.

And clients (computer or mobile device) are on site A and on site B.

 

When I had the problem, clients from the site B, couldn't connect to the server on site A.

The ERP client has said that it can not connect to the server (server don't respond).

But the problem was strange, with some client the ERP was working, and with other, the ERP was not working.

 

I don't know if the firmware update block some ports or packets.

 

For the moment, i only know that the ERP use these ports :

Socket IP Divalto: 1246
Xlan:1235
SQL- ADO.net: 1433
Browser SQL: 1434

 

I am investigating too with the ERP supplier, but he has never seen that.

 

If someone has more information about the firmware update.

 

Thank you,

Luc

Labels:
0 Kudos
Subscribe
1 Accepted Solution
In response to LucL
mwiater
Getting noticed
‎Mar 14 2022 7:33 AM
‎Mar 14 2022 7:33 AM

i did disable traffic analysis for all networks in the organization, however I learned on Saturday that this did not disable NBAR.  Apparently NBAR is enabled if you use any layer 7 rules.  We had to revert to a previous firmware version

View solution in original post

0 Kudos
Subscribe
8 Replies 8
cmr
Kind of a big deal
Kind of a big deal
‎Mar 11 2022 9:48 AM
‎Mar 11 2022 9:48 AM

@LucL we are running 16.16 on all of our Meraki SD-WAN sites other than the main datacentre which is on 16.15 and haven't seen any such issues. 

 

  • Are you controlling what can go from one site to the other with SD-WAN firewall rules?
  • Are you using Enterprise, Advanced or SD-WAN licensing?
  • What is the load on your MXs, both in terms of the summary report and the line itself?
  • Do you have one or two WAN links at each site?
  • Have you tried upgrading one site and not the other to see where the problem lies?

 

0 Kudos
Subscribe
In response to cmr
LucL
Here to help
‎Mar 14 2022 7:20 AM
‎Mar 14 2022 7:20 AM

Hi @cmr,

 

I didn't apply any FW rules for the VPN SD-WAN.

We have an Enterprise licensing.

The load of MXs are good (less than 50% of the capacity of the line).

 

I have two WAN links on each site.

In Uplink selection, the active-active autoVPN is enable.

but in SD-WAN policies, I preferred one link, and failover if the link is down.

 

I didn't tried anything else, because the site B can not work when I had the problem.

So I only rollback the two MX.

Maybe it's one thing to do after.

 

Thank you for your response.

 

0 Kudos
Subscribe
In response to LucL
cmr
Kind of a big deal
Kind of a big deal
‎Mar 14 2022 12:44 PM
‎Mar 14 2022 12:44 PM

@LucL the only real difference between your setup and ours is that we load balance the SD-WAN (and have more sites).

 

Do you have another MX as you could try on a home connection to one of the existing.

0 Kudos
Subscribe
mwiater
Getting noticed
‎Mar 11 2022 10:58 AM
‎Mar 11 2022 10:58 AM

I had similar problems where some traffic was being miscategorized and NBAR blocked, for me it was Avaya IP Office communications as well as internal and external dns. Turning traffic analysis off fixed that for me

0 Kudos
Subscribe
In response to mwiater
LucL
Here to help
‎Mar 14 2022 7:25 AM
‎Mar 14 2022 7:25 AM

Hi @mwiater,

 

Yes, that's a possibility if they changed something in the MX update.

So did you turn traffic analysis off for the all network?

 

I will try it when I make the update again.

Thank you,

Luc

0 Kudos
Subscribe
In response to LucL
mwiater
Getting noticed
‎Mar 14 2022 7:33 AM
‎Mar 14 2022 7:33 AM

i did disable traffic analysis for all networks in the organization, however I learned on Saturday that this did not disable NBAR.  Apparently NBAR is enabled if you use any layer 7 rules.  We had to revert to a previous firmware version

0 Kudos
Subscribe
LucL
Here to help
‎Apr 13 2022 11:55 PM
‎Apr 13 2022 11:55 PM

Hello @mwiater , @cmr ,

Sorry for my late answer,

 

I made some tests yesterday evening, and I updated the software to 16.16.1.

My problem comes back again, the ERP application didn't work again.

 

And you are right @mwiater , the problem comes from the layer 7 rules.

I deleted all rules, and the ERP is working now fine with the version 16.16 and later.

 

Maybe meraki's team changed something in the way to inspects the payload of packets for the layer 7 rules, and now this tool is more aggressive.

 

But now what is the best ? Make the rollback to 15.44 and use layer 7 rules, or use the last version 16.16.1 with no layer 7 rules ?...

0 Kudos
Subscribe
In response to LucL
mwiater
Getting noticed
‎Apr 14 2022 5:08 AM
‎Apr 14 2022 5:08 AM

I don't think there is a choice, at least not for me. I can only delay firmware upgrade until sometime in May it seems.  Clients won't be thrilled that we can't use the layer 7 rules that they want though.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.