Hi,
I been having some issues to connect some MSs to the cloud. Yesterday I tried to connect the MS in a remote branch and It is not registering.
We have a lot of Meraki Devices (hundreds) that pass through a PAN Firewall. There, we have all the rules that I need to use Meraki without issues.
I been performing some tests like:
Put static vlan and IP in the local page.
Packet captures in the MX concetrator. An I´m seeing bidirectional comunication between my MS and the Meraki Cloud. But I am not seeing my device UP.
Regards
Solved! Go to solution.
Hi @PhilipDAth
I been working with Meraki Support and We can confirm tht there`s two-way traffic and that we have all the Firewall Rules in my upstream firewall. But when we started to deploy meraki branches (1 year ago till now) I have been registering MR,MX and MX in each brach without problems.
But we are a Financial Institution and we have to be aware about our firewall rules. And we deployed more than 100 branches with the NTP bloking in our Upstream Firewall. But now this is the issue bc MS cannot connect to the principal cluster in USA. So it tries to establish the M-Tunnel against the secondary cluster and to acompplish this M-tunnel needs NTP and It`s the port that we have deny in our firewall....
The issue now is that we cannot perform a rule to permit NTP with any any entries bc We are a bank. So we will try to modify our DNS entries to simulate a DNS Poisoning to resolve an internal NTP to the domain that MS tries to resolve the URL that uses to get NTP services....
Yes actually I have been trying for hours.
From your end you could try a factory reset with the pin in hole solution for 20 seconds. Sometimes that retries the whole process that could have been stuck.
If that doesn't work then you'll need to open a case and the Meraki support agent will change some backend parameters and the switches will magically work 🙂
I've had this incredibly frustrating experience as well. I've had times where it seems to take a couple of hours to come online. And when you are the one onsite trying to bring everything up - stressful.
The initial firmware upgrade is difficult to cope with as an IT person. So often I have seen engineers who are on site say it isn't working and power cycle/factory reset the MS - when in fact it was part way through the firmware upgrade process - and the result of their actions is that the whole process starts again - which to them re-affirms there is a problem.
These days before we deploy an MS we plug it in at our office at least 24 hours before we deploy it in the field. And we leave it there. No one touches it. If you aren't watching or waiting for it then no one is tempted to restart or mess with it.
If you can see two-way communication between the MS and the cloud and nothing is being blocked on the MX - try leaving it for a day. Make sure you can see successful DNS traffic, and that the two-way communication is actually exchanging data (and not just SYN packets and the like),
If you have already done a factory reset - raise a support ticket.
As you know anything cloud based , we have always provide 24-48 hrs of up time in office workbench to make certain it is seen in the cloud for management in cloud and customer profiling. Being an MSP, Assuring nothing is bricked needing a ticket created and is provisioned correctly to suite.
Great advice on letting devices 'sit' a day before assuming something is wrong and making it worse.
Hi @PhilipDAth
I been working with Meraki Support and We can confirm tht there`s two-way traffic and that we have all the Firewall Rules in my upstream firewall. But when we started to deploy meraki branches (1 year ago till now) I have been registering MR,MX and MX in each brach without problems.
But we are a Financial Institution and we have to be aware about our firewall rules. And we deployed more than 100 branches with the NTP bloking in our Upstream Firewall. But now this is the issue bc MS cannot connect to the principal cluster in USA. So it tries to establish the M-Tunnel against the secondary cluster and to acompplish this M-tunnel needs NTP and It`s the port that we have deny in our firewall....
The issue now is that we cannot perform a rule to permit NTP with any any entries bc We are a bank. So we will try to modify our DNS entries to simulate a DNS Poisoning to resolve an internal NTP to the domain that MS tries to resolve the URL that uses to get NTP services....
Are you using an SFP?