Troubleshooting MX64 not receiving IP&DNS dynamically from WAN link

KarimB
Here to help

Troubleshooting MX64 not receiving IP&DNS dynamically from WAN link

Dear all,  

 

I'm currently using the following simple setup for my network - which works well as expected; with the MX64 WAN configured to get its IP address dynamically via DHCP from the WAN uplink

MX64 <- ethernet -> ISP router

[Update]

On the WAN, the MX gets its address/dns dynamically from the uplink

The MX runs a DHCP server for its clients: subnet 192.168.1.0/24 (MX interface 192.168.1.1)

There are no VLANs configured

[/Update]

 

I need to insert a Cisco 881 router that performs various QoS and VPN functions that the MX cannot do. 

[Update]

The 881 runs a DHCP server for its clients with subnet 10.0.2.0 255.255.255.0, and provides DNS servers from uplink

[/Update]

MX64 <-ethernet-> Cisco 881 <-ethernet->  ISP router

 

In this new setup the MX64 isn't connecting to the Meraki Cloud and local clients cannot reach the internet. When I connect locally on the MX64 (web browser to 192.168.1.1), I see the MX isn't getting IP/DNS from uplink:

Ethernet: This security appliance is trying to join a network or find a working ethernet connection

Internet:This security appliance is not connected to the Internet

Internet: This security appliance does not have a working DNS server

 

When trying to connect other devices than the MX64 in the new setup, everything works well as planned

(tried 2 PCs) <-ethernet-> 881 <-ethernet-> ISP router

 

In this last setup (just replacing the MX64 by a laptop), everything works well. The team who configured the 881 is telling me thousands of other users have this config and it works well. As the Meraki MX64 is not connected to the cloud, I can only see locally (on the local 192.168.1.1 interface in a browser) that the MX64 didn't receive an IP address from the WAN uplink.

 

My questions are

1) Under what circumstances would an MX64 not receive or accept IP addresses dynamically from the uplink ?

2) How could I further troubleshoot ?

 

Thanks! Karim.

 

 

19 Replies 19
Adam2104
Building a reputation

What IP address do the PCs get when they're directly connected to the 881? I suspect the addressees being given by the 881 overlap with the addresses on the inside of the MX and thus it is not accepting the address.

KarimB
Here to help

Thanks for your message - I made one change in the main question to correct the originally incorrect input 

 

I do not see overlapping IP ranges.

 

Laptop <-eth cable-> Meraki rtr <-eth cable-> ISP Internet

Ethernet adapter Ethernet:

   IPv4 Address. . . . . . . . . . . : 192.168.1.248

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.1.1

 

Laptop <-eth cable-> (port 3 public) 881 <-eth cable-> ISP Internet

Ethernet adapter Ethernet:

   IPv4 Address. . . . . . . . . . . : 10.0.2.2

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 10.0.2.1

Uberseehandel
Kind of a big deal

Make sure that

  • the uplink from the MX to the 881 is an untagged LAN (eg 192.168.22.0/28)
  • the MX should be configured to get an IP address from the DHCP server on the 881
  • the downlink port on the 881 has a DHCP server configured appropriately

This works for me.

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
KarimB
Here to help

Thanks - I have those 3 ticked. Works with Laptop, not with MX64 to my own surprise

PhilipDAth
Kind of a big deal
Kind of a big deal

Is anything configured to use a VLAN anywhere?

KarimB
Here to help

No. Initial message updated with this info

CptnCrnch
Kind of a big deal
Kind of a big deal

KarimB
Here to help

Reset & hard reset (pulling power plug) yes. Factory reset no, didn't see how or why that would help so haven't tried yet.

Uberseehandel
Kind of a big deal

When I first uplinked a MX64 to a third part security appliance, I did have an issue that was caused by a policy that set the uplink type in a manner that conflicted with the way the MX64 needs to be configured to uplink to another security appliance. Once I removed/disabled the policy, then the MX behaved as intended.

 

It occurs to me that if you change LAN4 to WAN2 and use that for the uplink, you might get around the problem.🤓

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
KarimB
Here to help

Can you elaborate on which type of policies conflicted ?
Uberseehandel
Kind of a big deal


@KarimB wrote:
Can you elaborate on which type of policies conflicted ?

I can't find what it was that was contributing to the problem. The skeleton that remains does not configure the uplink, and I'm not sure where I would configure the profile for SDN/WAN issues. In any event, SM is not appropriate in our situation, so we don't use them.

 

But I rather suspect that I/the profile had declared the untagged uplink as a tagged VLAN.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
hervetram
Conversationalist

Maybe try to set a static IP on the MX64 and check if you get connectivity.
https://documentation.meraki.com/MX/Installation_Guides/MX64_Installation_Guide
KarimB
Here to help

As the MX is the only device that will interact with the 881, there will be no risk of conflict of IP address. So yes, this would work and I kept it in my backpocket as my plan B. Rather unelegant but likely a solution. The engineer in me however wants to understand what the f&%^ is happening behind the hood. I might have to wireshark it with a router in between the MX and 881.

KarimB
Here to help

After another 2 hours of messing up with all possibilities, I gave up and configured static IP, it worked immediately. I'll call Meraki support to understand what could have caused dynamic IP addressing to not work on the MX WAN port.

Uberseehandel
Kind of a big deal

Can you check the IP address handed out by the 881. Also which subnet mask is in use. It is possible that the laptop you are using to connect to the 881 has its port configured in a manner that allows it to interact with the 881.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
KarimB
Here to help

Could indeed have been the issue, but in my case it's not, the public ports on the 881 are open (no advanced features like 802.1X)

 

On the 881, the config for that port is

<hostname>-881#sh run | s Home

ip dhcp pool Home

import all

network 10.0.2.0 255.255.255.0

default-router 10.0.2.1

 dns-server 208.67.222.222 208.67.220.220

 lease 2

 

If I connect a laptop to the 881 directly on that public port

with the setup Laptop <-eth cable-> (port 3 public) 881 <-eth cable-> ISP Internet

 

C:\WINDOWS\system32>ipconfig

Windows IP Configuration

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : cisco.com

   Link-local IPv6 Address . . . . . : fe80::f158:1dfc:ae0d:aaf1%11

   IPv4 Address. . . . . . . . . . . : 10.0.2.2

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 10.0.2.1

C:\WINDOWS\system32>nslookup

Address:  208.67.222.222

Uberseehandel
Kind of a big deal

When a laptop is connected to the "other" security appliance via a switch, it receives a Connection Specific DNS Suffix of Sodor.CaithnessAnalytics.com

When the same laptop is connected to the MX via a switch, it does not receive a Connection Specific DNS Suffix.

 

Is it possible that the MX is not DHCP15 aware as far as receiving an IP from another device?

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
KarimB
Here to help

errr ... you lost me Uberseehandel. With "other security appliance", I assume you mean the Cisco 881 ? If well, I'm not aware of the "DNS Suffix of Sodor.CaithnessAnalytics.com". 

 

At this stage though it works with manual IP & DNS settings (ugly but works). I'll reach out to the Meraki Support as it's clearly something on the Meraki MX wan uplink port.

 

In case Meraki support has no idea. ... I'll have to prove my point with a wireshark traffic capture MX <-> 881 ... but that would force to change the setup and put an intermediate switch in another change window ... I'd wait for vacation time to play with this. Fun to do but now no time  ...

Uberseehandel
Kind of a big deal


@KarimB wrote:

errr ... you lost me Uberseehandel. With "other security appliance", I assume you mean the Cisco 881 ? If well, I'm not aware of the "DNS Suffix of Sodor.CaithnessAnalytics.com". 


Sorry, I should have made my self more clear.

 

By "other security appliance" I mean a router/gateway device that is not a Meraki product.

Sodor.CaithnessAnalytics.com is the network controlled by an MX64, it is used for testing.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.