Yet Another Fun Fact (YAFF?) - The Layer 7 blocks OpenDNS (208.67.220.220) as "Advertising"

CraigCummings
Getting noticed

Yet Another Fun Fact (YAFF?) - The Layer 7 blocks OpenDNS (208.67.220.220) as "Advertising"

Yet Another Fun Fact

 

"The Layer 7 blocks for OpenDNS (208.67.220.220) appear to be due to the fact it is being classified as advertising." - Meraki support rep

 

Yep, Meraki Layer 7 firewall is blocking OpenDNS traffic as "advertising".  In case the irony is lost on anyone, Cisco owns both OpenDNS and Meraki. 

 

Left hand, meet right hand. 

 

Can Meraki just send out a notification letting everyone know that the Layer 7 FW is completely broken and unusable?  I It would save everyone, including Meraki employees, lots of wasted time and frustration.

 

Also, can we get a prorated refund for all the days this "Advanced Security" feature that we pay extra money for isn't working?   How does this sloppy work ever make it out of the lab?  Seriously. 

15 REPLIES 15
PhilipDAth
Kind of a big deal
Kind of a big deal

Hilarious.

DarrenOC
Kind of a big deal
Kind of a big deal

Hmmm, what version of firmware are your MX’s running?  We have numerous customers running mxs and Umbrella but not had this complaint?  Is it the L7 Advertising rule that’s breaking things?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
CptnCrnch
Kind of a big deal
Kind of a big deal

Same here. Neither myself nor my customers seem to have that issue.

 

I'm also wondering if posting "fun facts" without providing any kind of context is wanting help or simply ranting.

RaphaelL
Kind of a big deal
Kind of a big deal

I didn't have the courage to comment that. I don't see how ranting here is helping at all. I have seen couple posts with that attidude and It has not encouraged me to do some testing on my end.

See my reply to CptnCrnch.  I don't expect anyone that doesn't work for Meraki to be able to help.  I'm ranting (or complaining), yes, but also warning, and hopefully shaming.  Or should I just through all my complaints in the "make-a-wish" well? 

Question, as I am asking because I have many networks using OpenDNS and not finding any issue with Content Filtering.Is it possible you can provide an example of your setup?  In other words can you clarify as to how you are finding L7 rules blocking OpenDNS if not through content filtering?

l7_firewall, not content filtering...

 

syslog...

 

May 11 11:13:08 72.198.16.239-1 logger <134>1 1652285588.003245509 appliance l7_firewall src=192.168.40.37 dst=208.67.222.222 protocol=udp sport=53082 dport=53 decision=blocked

 

Meraki Support Engineer...

 

"The Layer 7 blocks for OpenDNS (208.67.220.220) appear to be due to the fact it is being classified as advertising. Unfortunately, the workaround for misidentified traffic is to remove the corresponding rule which you have done. Alternatively, Meraki Support can roll the network back to 15.44 which uses a different method for identifying traffic."

Clearly, I'm ranting.  I'm not sure what more context you would need, but there is no help anyone that doesn't work in Meraki engineering can provide. Support already provided some work-arounds (not to be confused with a solution). Roll-back firmware or disable the rule. BTW, I'm on a "Stable" release.

Some might also refer to it as a "customer complaint"....you know...since this really, really expensive product simply stopped working as advertised.  I now suspect it's due to a botched rollout of NBAR in version 16.x of the firmware.  So, basically poor quality control, testing, etc. Someone was just so excited to roll it out, they didn't bother to test it properly, I guess. 

I'm also warning any would be customers that are smart enough to read forum posts before a purchase.  The Layer 7 firewall does not work as advertised and is clearly broken.

 

I'm also, hopefully, shaming someone at Meraki, but those are high hopes, I realize. 

Yes, it's the L7 Advertising rule classifying OpenDNS as "Advertising".  I'm not using Umbrella. 

L7 has broken lot of stuff it blocks 8.8.8.8 but category is blank , i have a ticket open but no time frame  for resolution for L7 NBAR issues reason its managed by Cisco and not meraki


@HealthPrime wrote:

L7 has broken lot of stuff it blocks 8.8.8.8 but category is blank , i have a ticket open but no time frame  for resolution for L7 NBAR issues reason its managed by Cisco and not meraki


Cisco owns Meraki, but this will never be an acceptable excuse, regardless.  I'm on "stable" firmware.  It should be "stable"...meaning it doesn't break things that used to work. 

CraigCummings
Getting noticed

Context...

 

Subject: RE: Cisco Meraki Case 08036081: layer 7 FW completely broken and [ ref:_00D606uBw._5006Q1pmBUt:ref ]

 

Hello Craig,

Thank you for reaching out to Meraki Technical Support. I have added the information from this case to an internal tracker so our engineering team is aware of this issue. The Layer 7 blocks for OpenDNS (208.67.220.220) appear to be due to the fact it is being classified as advertising. Unfortunately, the workaround for misidentified traffic is to remove the corresponding rule which you have done. Alternatively, Meraki Support can roll the network back to 15.44 which uses a different method for identifying traffic. If you would like to proceed with the rollback, it would require a call to Meraki Support during the maintenance window.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Network-Based_Applica...

Kind Regards,
Austin Conley
Network Support Engineer
.:l:.:l:. Cisco Meraki

 

 

Sorry to hear that! I really wish Meraki would fix their L7/NBAR and add a stinkin' allow list. It's laughably inaccurate with the categories for just about any of them. 

cmr
Kind of a big deal
Kind of a big deal

@CraigCummings please try 17.7, it states that there are NBAR categorisation improvements.

Thanks for the tip.

 

However, every time Meraki breaks something on the Stable channel, I'm told to upgrade to the Stable Release Channel or Beta channel for a fix.  Does anyone else see a problem with this? 

 

I do realize that there are few options other than downgrade or upgrade or workaround, but please stop breaking "Stable".  That's what the other release channels are for. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels