Unreliable internet since moving to Meraki

SimonReach
Getting noticed

Unreliable internet since moving to Meraki

Since we replaced our ASA on saturday with an MX100, we've had a lot of issues and complaints about internet connectivity being slow and unreliable.  As an example, someone would click a link to an article in the Guardian newspaper, it would spent 5-10 seconds thinking about it, flash up with an error saying the page can not be loaded and then the page would immediately pop up.

 

We can't see anything in the event logs that might be causing it but we do get a lot of urls blocked regarding spotify and something called offers-api-ghostery.net.  The event log also doesn't allow us to pinpoint exactly which machine tried to access the blocked content.


AMX is enabled, content filtering is turned on and the IDP is enabled as well with the ruleset set to Security.

 

9 Replies 9
Nash
Kind of a big deal

Could you tell us what content filtering categories you are using? Thank you.

SimonReach
Getting noticed

Abortion, Abused Drugs, Adult and Pornography, Alcohol and Tobacco, Bot Nets, Cheating (Academic), Confirmed SPAM sources, Cult and Occult, Dating, Games, Hacking, Hate and Racism, Illegal, Keyloggers and monitoring, Malware Sites, Marijuana, Nudity, Online Greeting Cards, Open HTTP Proxies, Pay to Surf, Peer to Peer, Phishing and Other Frauds, SPAM Urls, Shareware and Freeware, Spyware and Adware, Streaming Media, Swimsuits and Intimate Apparel, Unconfirmed SPAM Sources, Violence and Weapons.

Nash
Kind of a big deal

Okay, quite a few then. That may be the cause of the problem, depending on where people are going.

 

Ghostery is a browser add-on. Your end user computing staff may want to inspect the extensions people are using. I'd disable THAT first before doing anything else, then have a test user try browsing.

 

If you still have problems... You listed the Guardian as an example, right? Here's what I would do:

 

  1. Create a group policy with its own content filter settings. 
  2. Only assign: Adult and Pornography, Bot Nets, Confirmed SPAM Sources, Keyloggers and Monitoring, Malware Sites, Phishing, Peer to Peer, SPAM URLS, Spyware and Adware (so like... some basics)
  3. Assign that group policy to a machine that has been having problems.
  4. Browse to the Guardian - Do you have problems?
  5. Open the developer console: in Chrome, this is F12
    2019-10-16 09_33_05-Reply to Message - The Meraki Community.png
  6. Take a look at what sources are listed.
  7. On your MX, under Content Filtering, use the category lookup tool to see if those sources belong to any groups off your list. Some things you can block with impunity, other things will break websites and cause weird behavior. It takes some experimenting.
    2019-10-16 09_33_56-Content Filtering - Meraki Dashboard.png
  8. Slowly add back in your groups, one at a time, until it breaks again. Once it breaks again, you know what the problem group is and can re-evaluate.
SimonReach
Getting noticed

Thank you, we've removed some of the tamer categories, we also use Kaspersky Endpoint which does webfiltering as well, so will see how it goes.  It does seem to be the first time that someone goes to a certain website, it causes the delay but any further visits to the site are fine.

 

Also, is there a way to trace the 'Content Filtering Blocked URL' back to a particular user or machine rather than just the mac address of a Meraki device?

Nash
Kind of a big deal

@SimonReach Yes but it depends on how your network is setup. I'd read the client tracking options document. It goes into detail on how the tracking is done. Are you running a combined network right now? What device types do you have in it?

 

If you've got L3 going on (multiple subnets for your devices) but only L2 Meraki switches, then you're going to see those clients kludged together under the L2 Meraki switch's mac address. 

 

Also, I can tell you that my company prefers to have a single source of content filtering applied in any given environment. It simplifies troubleshooting. So I might create a group policy that overrides your MX content filter with no/minimal categories, and apply that to your devices that have Kaspersky on em. It's possible to integrate this with Active Directory and do it on a per-user basis.

SimonReach
Getting noticed

Hi Nash,

 

What we've essentially done lastnight and this morning is change the Meraki filtering to the big things, we've got Kaspersky to restrict stuff like Facebook access, so we're now only blocking Adult & Pornography, Bot Nets, Confirmed SPAM sources, Hacking, Illegal, Keyloggers and Monitoring, Malware Sites, Open HTTP Proxies, Pay to Surf, Peer to Peer, Phishing and Other Frauds, SPAM Urls, Spyware and Adware, and Unconfirmed SPAM sources.

 

Our network is an MX100 > a stack of 2xMS250s (this has all the layer 3 and OSPF stuff on) > stack of 4xMS210s which is where the clients are plugged into.

 

edit:  I've had a quick read through of the Client Tracking Options document, the only options i have for Client Tracking under 'Security and SDWAN' > Configure > Addressing & VLANs is MAC Address (what it's set to now) and IP address which is greyed out.

Nash
Kind of a big deal

If track by IP is greyed out, that sounds like your MX is in a combined network, but just to verify...

 

In terms of Meraki dashboard setup, is that all one network within one organization?

 

I've got an org with two networks, Alpha and Bravo. Traffic to the internet flows clients -> Switch Alpha -> MPLS connection -> Switch Bravo -> Firewall Bravo.

 

When I look at the event log for it, devices that are directly on network Bravo show up as specific clients. Devices coming from network Alpha show up as Switch Bravo, since that's the first place Network Bravo sees them. The transition between networks 'breaks' the Meraki's ability to sense them as clients, as far as I can tell.

SimonReach
Getting noticed

It's a dashboard that's configured with 2 networks, one has already been setup and is fully operational and the other is yet to be upgraded to Meraki and this is at another site.

 

The 2 sites are currently connected together through MPLS but both sites use their own internet connection.  I've spoken to Meraki support who have enabled the Meraki Identifier which they've told me will help as i've got an MX that connects to layer 3 Meraki switches and then users connect to the MS210 stack which plugs into the layer 3 MS250 switches.

Nash
Kind of a big deal

Oh good! Trying the identifier was my next thought. Thanks for the reminder.

 

I've got a couple clients I need to try it on.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels