Yet Another Fun Fact
"The Layer 7 blocks for OpenDNS (208.67.220.220) appear to be due to the fact it is being classified as advertising." - Meraki support rep
Yep, Meraki Layer 7 firewall is blocking OpenDNS traffic as "advertising". In case the irony is lost on anyone, Cisco owns both OpenDNS and Meraki.
Left hand, meet right hand.
Can Meraki just send out a notification letting everyone know that the Layer 7 FW is completely broken and unusable? I It would save everyone, including Meraki employees, lots of wasted time and frustration.
Also, can we get a prorated refund for all the days this "Advanced Security" feature that we pay extra money for isn't working? How does this sloppy work ever make it out of the lab? Seriously.
Hilarious.
Hmmm, what version of firmware are your MX’s running? We have numerous customers running mxs and Umbrella but not had this complaint? Is it the L7 Advertising rule that’s breaking things?
Same here. Neither myself nor my customers seem to have that issue.
I'm also wondering if posting "fun facts" without providing any kind of context is wanting help or simply ranting.
I didn't have the courage to comment that. I don't see how ranting here is helping at all. I have seen couple posts with that attidude and It has not encouraged me to do some testing on my end.
See my reply to CptnCrnch. I don't expect anyone that doesn't work for Meraki to be able to help. I'm ranting (or complaining), yes, but also warning, and hopefully shaming. Or should I just through all my complaints in the "make-a-wish" well?
Question, as I am asking because I have many networks using OpenDNS and not finding any issue with Content Filtering.Is it possible you can provide an example of your setup? In other words can you clarify as to how you are finding L7 rules blocking OpenDNS if not through content filtering?
l7_firewall, not content filtering...
syslog...
May 11 11:13:08 72.198.16.239-1 logger <134>1 1652285588.003245509 appliance l7_firewall src=192.168.40.37 dst=208.67.222.222 protocol=udp sport=53082 dport=53 decision=blocked
Meraki Support Engineer...
"The Layer 7 blocks for OpenDNS (208.67.220.220) appear to be due to the fact it is being classified as advertising. Unfortunately, the workaround for misidentified traffic is to remove the corresponding rule which you have done. Alternatively, Meraki Support can roll the network back to 15.44 which uses a different method for identifying traffic."
Clearly, I'm ranting. I'm not sure what more context you would need, but there is no help anyone that doesn't work in Meraki engineering can provide. Support already provided some work-arounds (not to be confused with a solution). Roll-back firmware or disable the rule. BTW, I'm on a "Stable" release.
Some might also refer to it as a "customer complaint"....you know...since this really, really expensive product simply stopped working as advertised. I now suspect it's due to a botched rollout of NBAR in version 16.x of the firmware. So, basically poor quality control, testing, etc. Someone was just so excited to roll it out, they didn't bother to test it properly, I guess.
I'm also warning any would be customers that are smart enough to read forum posts before a purchase. The Layer 7 firewall does not work as advertised and is clearly broken.
I'm also, hopefully, shaming someone at Meraki, but those are high hopes, I realize.
Yes, it's the L7 Advertising rule classifying OpenDNS as "Advertising". I'm not using Umbrella.
L7 has broken lot of stuff it blocks 8.8.8.8 but category is blank , i have a ticket open but no time frame for resolution for L7 NBAR issues reason its managed by Cisco and not meraki
@HealthPrime wrote:L7 has broken lot of stuff it blocks 8.8.8.8 but category is blank , i have a ticket open but no time frame for resolution for L7 NBAR issues reason its managed by Cisco and not meraki
Cisco owns Meraki, but this will never be an acceptable excuse, regardless. I'm on "stable" firmware. It should be "stable"...meaning it doesn't break things that used to work.
Context...
Sorry to hear that! I really wish Meraki would fix their L7/NBAR and add a stinkin' allow list. It's laughably inaccurate with the categories for just about any of them.
@CraigCummings please try 17.7, it states that there are NBAR categorisation improvements.
Thanks for the tip.
However, every time Meraki breaks something on the Stable channel, I'm told to upgrade to the Stable Release Channel or Beta channel for a fix. Does anyone else see a problem with this?
I do realize that there are few options other than downgrade or upgrade or workaround, but please stop breaking "Stable". That's what the other release channels are for.