Dear all,
I'm currently using the following simple setup for my network - which works well as expected; with the MX64 WAN configured to get its IP address dynamically via DHCP from the WAN uplink
MX64 <- ethernet -> ISP router
[Update]
On the WAN, the MX gets its address/dns dynamically from the uplink
The MX runs a DHCP server for its clients: subnet 192.168.1.0/24 (MX interface 192.168.1.1)
There are no VLANs configured
[/Update]
I need to insert a Cisco 881 router that performs various QoS and VPN functions that the MX cannot do.
[Update]
The 881 runs a DHCP server for its clients with subnet 10.0.2.0 255.255.255.0, and provides DNS servers from uplink
[/Update]
MX64 <-ethernet-> Cisco 881 <-ethernet-> ISP router
In this new setup the MX64 isn't connecting to the Meraki Cloud and local clients cannot reach the internet. When I connect locally on the MX64 (web browser to 192.168.1.1), I see the MX isn't getting IP/DNS from uplink:
Ethernet: This security appliance is trying to join a network or find a working ethernet connection
Internet:This security appliance is not connected to the Internet
Internet: This security appliance does not have a working DNS server
When trying to connect other devices than the MX64 in the new setup, everything works well as planned
(tried 2 PCs) <-ethernet-> 881 <-ethernet-> ISP router
In this last setup (just replacing the MX64 by a laptop), everything works well. The team who configured the 881 is telling me thousands of other users have this config and it works well. As the Meraki MX64 is not connected to the cloud, I can only see locally (on the local 192.168.1.1 interface in a browser) that the MX64 didn't receive an IP address from the WAN uplink.
My questions are
1) Under what circumstances would an MX64 not receive or accept IP addresses dynamically from the uplink ?
2) How could I further troubleshoot ?
Thanks! Karim.
What IP address do the PCs get when they're directly connected to the 881? I suspect the addressees being given by the 881 overlap with the addresses on the inside of the MX and thus it is not accepting the address.
Thanks for your message - I made one change in the main question to correct the originally incorrect input
I do not see overlapping IP ranges.
Laptop <-eth cable-> Meraki rtr <-eth cable-> ISP Internet
Ethernet adapter Ethernet:
IPv4 Address. . . . . . . . . . . : 192.168.1.248
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Laptop <-eth cable-> (port 3 public) 881 <-eth cable-> ISP Internet
Ethernet adapter Ethernet:
IPv4 Address. . . . . . . . . . . : 10.0.2.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.2.1
Make sure that
This works for me.
Thanks - I have those 3 ticked. Works with Laptop, not with MX64 to my own surprise
Is anything configured to use a VLAN anywhere?
No. Initial message updated with this info
Have you tried a system reset on that MX64?
Reset & hard reset (pulling power plug) yes. Factory reset no, didn't see how or why that would help so haven't tried yet.
When I first uplinked a MX64 to a third part security appliance, I did have an issue that was caused by a policy that set the uplink type in a manner that conflicted with the way the MX64 needs to be configured to uplink to another security appliance. Once I removed/disabled the policy, then the MX behaved as intended.
It occurs to me that if you change LAN4 to WAN2 and use that for the uplink, you might get around the problem.🤓
@KarimB wrote:
Can you elaborate on which type of policies conflicted ?
I can't find what it was that was contributing to the problem. The skeleton that remains does not configure the uplink, and I'm not sure where I would configure the profile for SDN/WAN issues. In any event, SM is not appropriate in our situation, so we don't use them.
But I rather suspect that I/the profile had declared the untagged uplink as a tagged VLAN.
As the MX is the only device that will interact with the 881, there will be no risk of conflict of IP address. So yes, this would work and I kept it in my backpocket as my plan B. Rather unelegant but likely a solution. The engineer in me however wants to understand what the f&%^ is happening behind the hood. I might have to wireshark it with a router in between the MX and 881.
After another 2 hours of messing up with all possibilities, I gave up and configured static IP, it worked immediately. I'll call Meraki support to understand what could have caused dynamic IP addressing to not work on the MX WAN port.
Can you check the IP address handed out by the 881. Also which subnet mask is in use. It is possible that the laptop you are using to connect to the 881 has its port configured in a manner that allows it to interact with the 881.
Could indeed have been the issue, but in my case it's not, the public ports on the 881 are open (no advanced features like 802.1X)
On the 881, the config for that port is
<hostname>-881#sh run | s Home
ip dhcp pool Home
import all
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 208.67.222.222 208.67.220.220
lease 2
If I connect a laptop to the 881 directly on that public port
with the setup Laptop <-eth cable-> (port 3 public) 881 <-eth cable-> ISP Internet
C:\WINDOWS\system32>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : cisco.com
Link-local IPv6 Address . . . . . : fe80::f158:1dfc:ae0d:aaf1%11
IPv4 Address. . . . . . . . . . . : 10.0.2.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.2.1
C:\WINDOWS\system32>nslookup
Address: 208.67.222.222
When a laptop is connected to the "other" security appliance via a switch, it receives a Connection Specific DNS Suffix of Sodor.CaithnessAnalytics.com
When the same laptop is connected to the MX via a switch, it does not receive a Connection Specific DNS Suffix.
Is it possible that the MX is not DHCP15 aware as far as receiving an IP from another device?
errr ... you lost me Uberseehandel. With "other security appliance", I assume you mean the Cisco 881 ? If well, I'm not aware of the "DNS Suffix of Sodor.CaithnessAnalytics.com".
At this stage though it works with manual IP & DNS settings (ugly but works). I'll reach out to the Meraki Support as it's clearly something on the Meraki MX wan uplink port.
In case Meraki support has no idea. ... I'll have to prove my point with a wireshark traffic capture MX <-> 881 ... but that would force to change the setup and put an intermediate switch in another change window ... I'd wait for vacation time to play with this. Fun to do but now no time ...
@KarimB wrote:errr ... you lost me Uberseehandel. With "other security appliance", I assume you mean the Cisco 881 ? If well, I'm not aware of the "DNS Suffix of Sodor.CaithnessAnalytics.com".
Sorry, I should have made my self more clear.
By "other security appliance" I mean a router/gateway device that is not a Meraki product.
Sodor.CaithnessAnalytics.com is the network controlled by an MX64, it is used for testing.