Subject says it all... We need proper IPV6 support in the MX Platform... Even IPV6 tunnelling doesn't work at this point.
Anyone else have soem comments?
Solved! Go to Solution.
Hi all, thank you for your continued patience on this topic. We’d like to provide an update and bring further transparency on the IPv6 status for Cisco Meraki products. Firstly, we want to acknowledge the clear gap in supporting IPv6 across the Meraki portfolio and sincerely understand the frustration that’s been expressed.
Each Cisco Meraki product has a different set of IPv6 requirements and technical complexities. IPv6 is not a single feature but rather a suite of features and capabilities that need to be enabled as a journey; which, unfortunately, is not a quick undertaking especially since we need to solve for effective management of IPv6 functionality in addition to enabling IPv6 data plane capabilities.
On our IPv6 journey, we have identified the key functions to be delivered across the Cisco Meraki portfolio. Our primary objective is to deliver IPv6 in a phased manner that is as simple and streamlined as possible to adopt for our existing and future customers. IPv6 is one of our strategic cross-product initiatives and this is backed by engineering resources we have aligned to it.
We know you have asked for details, and we don’t yet have publicly-sharable specifics, but please rest assured that we have a comprehensive plan for IPv6 support that we are aggressively driving and are committed to providing continued updates on our progress. As such, please expect the next update by the end of September 2019 on our IPv6 @ Meraki thread.
Thank you for your continued partnership,
The Cisco Meraki team
[Mod comment: We are marking this post as the solution to this thread. This is not because the issue is solved, but because we want to make the new location for updates from Meraki on this topic easier to access. That topic is: IPv6 @ Meraki.]
I have been reluctant to jump on the IPv6 bandwagon because of the need for Toredo tunnelling and for dual stacks, in most environments. In some implementations I have seen, dual stacking disables hardware offloading, which can have a big impact upon throughput.
So I would ask that a pure IPv6 implementation be introduced sooner rather than later. At that point, I'll switch over. All the AV kit, Playout devices, Smart TVs, workstations etc do IPv6 already, only the network kit doesn't,
We dropped Meraki about a year ago because of some bugs that seemed like they were never going to get fixed and for me the major issue is lack of IPv6. How does Meraki expect us to be taken seriously with our customers when they are asking for IPv6 and we couldn’t give them a straight answer? I voted with my wallet and moved to FortiNet - not to start a debate on Cisco vs X but FortiNet supports IPv6 and has a much richer feature set at a lower price point....
I hear you, we have been actively tearing Cisco & Meraki out and will continue to do so. They want their money for licenses and will turn your networks off, but they will not fix what they have promised.
I switched our MXs to Fortinet, as well. There was a bit of a learning curve, but I'm glad I did change. In two months, I have not had a single issue, particularly with the remote users VPN. I got my work-life balance back in balance. I plan to drop the rest of my Meraki stack next year when the licenses expire.
I have a feeling that when our licenses expire we will find a new solution to go with as well. At this point, not having IPv6 on the WAN just isn't cutting it.
And the final nail in the IPv4 coffin was slammed in this monday at 15:35 (UTC+1) on 25 November 2019 - And why..? We are absolutely, definitively, completely and utterly out of IPv4 addresses now...
The RIPE NCC has run out of IPv4 Addresses
Today, at 15:35 (UTC+1) on 25 November 2019, we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now run out of IPv4 addresses.
Our announcement will not come as a surprise for network operators - IPv4 run-out has long been anticipated and planned for by the RIPE community. In fact, it is due to the community's responsible stewardship of these resources that we have been able to provide many thousands of new networks in our service region with /22 allocations after we reached our last /8 in 2012.
Well, not quite I think:
ARIN’s free pool of IPv4 address space was depleted on 24 September 2015. As a result, we no longer can fulfill requests for IPv4 addresses unless you meet certain policy requirements that reserved blocks of IPv4 addresses for special cases, such as:
•NRPM 4.10: organizations may request a /24 of IPv4 address space to facilitate the transition to IPv6
•NRPM 4.4: micro-allocations to critical Internet infrastructure providers such as exchange point operators and core DNS service providers
But your are right about ARIN hold back on IPv4, and have done so for quite a while now - and only provide IPv4 for special purpose now...
It is now close enough to mid-December when another announcement is expected.
Given the complexity of the task and the perceived glacial speed in progress, I am not expecting an early IPV6 Christmas present. It is sad though. Instead of dreaming about sugar plum fairies, I am dreaming of IPV6.
You'll find an announcement from end September on this thread:
They posted an update in December here. They're building out IPv6 on their infrastructure before deploying it to the users.
at least some progress at the backend:
anyway, i request a *much higher* frequency of updates. once every three months, that's way too less!
nothing new here:
root@www:~# host dashboard.meraki.com
dashboard.meraki.com is an alias for n1.meraki.com.
n1.meraki.com is an alias for sdg333.meraki.com.
sdg333.meraki.com has address 188.8.131.52
When the time comes, I would be interested in beta testing IPV6 for MX or other hardware.
I have Charter as an ISP and when I was using a Soniclwall firewall I had four IPV6 subnets. The MR33 was able to get an IPV6 address from the Sonic wall, and devices in the WiFi also could get IPV6 addresses.
The failure of Meraki to support IPv6 in a timely manner is now really causing me big issues.
COVID-19 has caused my company to send everyone to work from home and VPN into the office.
Of course, many of the users who have never had to use our VPN are trying to use it and discovering they can't due to IPv6.
I've had to bung in a couple of pfSense firewalls in on spare IP addresses (using 2 retired Dell servers) and give these users OpenVPN for connectivity. I'm now wondering when it comes to license renewal time, why I should bother as we now have 2 perfectly serviceable pfSense firewalls in place with auto failover, VPN, Suricata, pfBlockerNg, and fully supporting IPv6. The only downside being that they're far more difficult to manage and configure than our MXs.
Just for info. I have been having the same issue. If users are getting IP v6 addresses, Telstra (Australia) IPV6 to ipv4 GW does not support L2tp VPN. What I have found is if I disable the IPV6 protocol on the WIFI or Ethernet adapter that the VPN is running on then the device gets and IP v4 address and the GW is bypassed and it works. but we do need IPV6 support and a Better VPN client for windows ASAP. it is Meraki biggest short coming. Need Client VPN to work like SDWAN does. "It just works" without me having to team viewer to clients machine to set it up every time.
@Meraki-PM-Team, this is a serious situation RIGHT NOW!
in the name of all your patient and loyal customers and resellers: PROVIDE A QUICK FIX RIGHT ***NOW***!
focus on the client VPN part and LET OUR USERS - WHO *WANT*/*NEED* TO WORK FROM HOME IN THIS DIFFICULT AND URGENT SITUATION - ACCESS OUR INTERNAL NETWORKS!!!
i am currently stopping linux updates of libreswan, because DH2/modp1024 is not anymore supported as of v3.30 (February 2020) "pluto: Disable support for DH2/modp1024 at compile time [Paul]", but required by client VPN. ipsec supports more then 1 ike algo in phase1, but support can only *switch* to DH14/modp2048.
… and by the way, the docs on https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Encryption_Method do still speak about DH5/modp1536 which is not possible to switch to regarding the support team. [Case 04926942].
Hopefully some of Meraki’s team will be able to concentrate more on getting this sorted if they are working from home themselves!!!
"Just for info. I have been having the same issue. If users are getting IP v6 addresses, Telstra (Australia) IPV6 to ipv4 GW does not support L2tp VPN. What I have found is if I disable the IPV6 protocol on the WIFI or Ethernet adapter that the VPN is running on then the device gets and IP v4 address and the GW is bypassed and it works. but we do need IPV6 support and a Better VPN client for windows ASAP. it is Meraki biggest short coming. Need Client VPN to work like SDWAN does. "It just works" without me having to team viewer to clients machine to set it up every time."
That works for BT over here in the UK but not for Sky Internet and for some inexplicable reason we have many users on Sky.
I agree with your sentiment. But for a VPN to work over IPV6, the MX would need to have have IPV6 address management, subnet management, routing management and perhaps even 6 to 4 and 4 to 6 if your internal network is IPV4 only.
The next update from Meraki on IPV6 will come in April. Perhaps there will be an Alpha or Beta then.
We now have half of our employees using my thrown together pfSense/OpenVPN solution due to the IPv6/VPN issues with the Meraki MX. It's not looking good for license renewal for Meraki right now. We may as well just move everyone over and wave Meraki good bye and send the other guys who assist me with infrastructure on pfSense courses. It won't be easy to persuade the boss to pay up after all the grief we've been having.
Personally, to use Meraki MX as my home office firewall, these are the IPv6 features I am using now with "not-an-MX" and am looking for in an MX.
- Prefix Delegation with Prefix Hint
- Dynamic assignment of delegated /64 prefixes from the larger /60 or /56 (see hint) to different interfaces - some physical some VLAN
- DHCPv6-lite to hand out DNS (others, NOT Android)
- RDNSS to hand out DNS (Android, others)
- Option to use either delegated or "system" DNS for DHCPv6-lite / RDNSS
That gets me going as a replica of my current setup.
Nice to have would be:
DNS64/NAT64 including the ability to have that work from PD-assigned prefixes
And of course v6 firewalling / content inspection / VPN features.
I know the potential list of v6 capabilities is far greater, and Enterprises will have an additional wish list. The above is what I consider "the essentials" for a SOHO setup.
All opinions mine, not speaking as an employee, and so on.
I am running out of solution for customers now. Telstra is Australia is using IPV6 on their mobile network with a IP6 to IP4 GW which does not support l2tp VPN
Up till now I have been disabling IPV6 on the client to get around this
I now have IOS devices with the same issue and you can NOT disable IPV6 on IOS. so VPN on IOS does not work any more.
Need IPV6 support or anyconnect VPN client support.. URGENTLY as now supplying non meraki gear to fix these issues.
I had to put the Meraki in Pass through mode, and using PFSense on my front end for Router, there I configure VPN. Open VPN etc. Then use Ipsec as forwards to the Meraki so its still in play.
I have brand new MX100 sitting on rack waiting for iPV6 Options till then pfsense is boss.
@Dudleydogg Given the VPN issues we are seeing with our MX64 I am really close to switching to a pfSense box at the office. We are all work from home right now and most people have multiple VPN pauses a day, not working too well for us 😞
We've migrated nearly everyone over to the pfSense/OpenVPN I set up on a couple of old Dell servers we had lying around. We're getting much more reliable connections and don't have any IPv6 issues. The number of support calls has really dropped and the pfSense servers are hardly breaking a sweat.
I to have abandoned Meraki and went Fortigate firewall and Ubiquiti switches/wifi. If anyone needs Fortigate pricing let me know.
Interesting you mentioned the Fortigate. We just moved most our equipment to them. Couldn't be happier. Full IPv6 support. And the VPN works great. Certainly a larger learning curve but if you already know firewalls this is the way to go.
Also, the security is muuuuuch better on the Fortigate. We ran a a test and put a fortigate between our MX our our switches with port mirroring on to see what the MX was missing. In 7 days the MX missed over 34,000 IPS attemps. Pretty sad.
I love my Meraki's don't get me wrong... but..... they are way way behind now. Its sad to watch such a great brand die.
Its not too bad, meraki is allow all and block things you dont want, where fortigate is more of granular allow what you want and get very specific, but its not over daunting.
i have used all the firewall players over the years and currently very happy. I would love to see meraki do something, its really is that with current times, to little to late.
I totally agree. The remote management and ease of configuration on the Meraki devices is absolutely brilliant. Saves me a world of headaches in that I can delegate management to other guys without needing to send them on courses or hold their hands. And if there is a visit from Captain Cockup you can always fix it remotely. Something no other firewall devices have that I'm aware of. Its a great comfort blanket.
However, despite all those wonderful features (which is why we all bought Meraki in the first place), if they don't fulfil a fundamental functionality need you have right now then they may as well be paperweights and right now that's what they are for my company with the entire company working from home. We've migrated everyone to pfSense/OpenVPN due to the issues with Meraki client VPN.
We have a 100MBit Internet connection and a 20 user maximum at any one time as the company operates in two shifts. We've been peaking at about 15 users and averaging 10 or 11 since the outbreak.
Meraki Team, Please show this thread to management. IPv6, IKEv2 and Anyconnect for client VPN are HUGE missing features. You see many customers a jumping ship because they have no choice they are complaining because they WANT to continue to use the product but can't. We know you are working on it but we as customers need/deserve a roadmap and timeline of when these features will be live so we can plan accordingly. Please no more an update in x months.
In their February IPV6 update, Meraki said that if they stay on schedule, there will be "exiting" news in April. Let's hope they are staying on schedule!
I am a long time lurker not poster, but here goes since I noticed an update in the IPv6 @ Meraki thread and wanted to get it in front of everyone in this thread as some may not be aware off or following the update thread.
TLDR: Improvements to client VPN functionality to handle IPv6 only clients to connect through a NAT64 from their providers
If you have IPv6 only connectivity and are leveraging NAT64, I urge you to share it with the community your ISP and if your setup works or doesn't.
Stay safe & healthy!
Hi Hi together!
Big thanks to you Meraki Guys and that finally started to implement IPv6!
Recognized it round about a week ago, when my switch got an IPv6 addresse after a reboot.
For your request:
1&1 Versatel Germany
Client to FW
Before I replaced my Sonicwall firewall with a MX65, I had it setup to get an IPV6 /60 subnet from Charter. My MS220-8P and MR33 picked up the correct subnet and IPV6 addresses. They also passed on Router Announcements to clients who also got IPV6 addresses on the correct subnet.
So while there may be more work on the complete product line, the big push is most likely re-architecting the MX to support a new more complex IP protocol, and the work they have done making sure the Meraki site, dashboard and backend support IPV6.
My switches used to have IPV6 addresses and it went away and the setting is grayed out now.
what did you do to enable this feature?
T-4 Days before time runs out for an IPV6 announcement that was forecast last February.
Kudos tothe team for testing out the NAT64 VPN! I wonder if Covid19 has had a negative impact on the development schedule in other ways.
The Meraki IPV6 team made their April announcement.
Understandably, the schedule has slipped. In a former life I was a software developer then software development manager, then director of product development. I am so glad I do not have that responsibility now. Covid 19 shelter in place will butcher any development schedule. I cannot imagine trying to write software at home if their are children present! The power of a team is also broken as communication and commadary is pushed through a tiny set of wires.
Does anyone know if the MX is capable of tunneling IPv6 over IPv4?
Related to GIF (Generic tunnel Interface) / NAT passing IP protocol 41?
@tfriedrich I don't believe so, there is progress on ipv6 for MR that is in closed beta but I don't believe there is an MX ipv6 beta yet available.
Can someone explain what effect having ipv6 in just the MR would have without the MX? You couldn't route IPv6 to Internet without MX right? Even if MS and MR lines had 100% support for ipv6, unless it's purely for internal site traffic, what is the benefit without the MX's involvement?
Been wondering that myself. It seems to me that IPv6 support at the edge is the most important thing to get fixed. There isn't a shortage of private IPv4 addresses. They should make the MX the priority for IPv6 support.
Not everyone is full stack Meraki. We have ~150 Meraki devices including ~25MXs but they are not used for corporate Internet edge. Our existing Internet edge devices do have full ipv6 support so MR and MS ipv6 support would have some value to us, albeit it would be much more useful if the MX SD-WAN tunnels could carry ipv6 over ipv4 even if they didn't have full ipv6 support.
as of https://community.meraki.com/t5/Full-Stack-Network-Wide/IPv6-Meraki/m-p/96763/highlight/true#M1593, we should get an update in the next few days:
We expect our next official update to be in October. In the meantime, stay safe and healthy.
hopefully they read the stuff in this thread as well. roadmap and timeline would be nice.
October has come and gone, November is also done My license will expire before I can use my MX, Meraki should offer license extensions for anyone using an MX that paid for a license but can't use the device as public-facing on WAN.
I am on the last Beta Software an still no Support for IP V6!! only Pas true Modus.
I agree with all of you since Meraki has joined Cisco it is not going better.
i found out that the page with the order formular for meraki trial installations is not working with ipv6, you will be redirected immediately to the dashboard login page instead of showing the correct trial formular. If you disable IPv6 on your device everything works fine.. strange situation which should be fixed.
Have we STILL not got IPv6 support???? All I want to be able to do is VPN into my MX64 from a mobile phone, which unfortunately beyond my control is ipv6!
The Error message I get whenever I attempt a client VPN connection:
msg: unsupported ID type 5
it's been years now!!!!! COME ON MERAKI!!!!
Meraki, please make sure your most routable device, being an MX gets IPv6 fully compliant.
LAN + WAN +DHCP, DNS, VPN tunnels, and NETSEC L3
This is a very weird fact, Meraki is very reluctant to answer and provide a proper roadmap and very slow at incorporate it in their ecosystem.
I understand, Meraki is an enterprise solution, but even then IPv6 cannot be ignored any longer.
Competitors are much further on the IPv6 roadmap:
@Peter-Loyen I'd agree, but DHCP isn't often part of the IPv6 spec as SLAAC is supposed to be used and implemented by default on BT's HomeHub for example.
I agree Meraki is behind the market for IPV6 compatibility. That said, they have been implementing IPV6 on the MS and MR line, as well as getting the dashboard available by IPV6.
The MX is the toughest as it has the most IPV6 features to implement. I do not know what the internal architecture is, but I am willing to bet it was not designed to be dual stack.
There is supposed to.be another IPV6 announcement in January, so it should come soon
February Now Still sitting on the Shelf my pretty MX100 Licence expiring and it has 0 hours usage.
Lets hope something happens soon, but if this thread is correct and Dual-Stack is not possible, that mean we have to replace all our current equipment?
I did not say Dual Stack was not possible, just that the original software was likely not designed with dual stack in mind.
It is always possible to redesign software, it just takes time to get it right.