MS cannot register to the Cloud

Solved
Johnfnadez
Building a reputation

MS cannot register to the Cloud

Hi,

 

I been having some issues to connect some MSs to the cloud. Yesterday I tried to connect the MS in a remote branch and It is not registering.

 

We have a lot of Meraki Devices (hundreds) that pass through a PAN Firewall. There, we have all the rules that I need to use Meraki without issues.

 

I been performing some tests like:

 

Put static vlan and IP in the local page.

Packet captures in the MX concetrator. An I´m seeing bidirectional comunication between my MS and the Meraki Cloud. But I am not seeing my device UP.

 

 

Regards

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
1 Accepted Solution
Johnfnadez
Building a reputation

Hi @PhilipDAth 

 

I been working with Meraki Support and We can confirm tht there`s two-way traffic and that we have all the Firewall Rules in my upstream firewall. But when we started to deploy meraki branches (1 year ago till now) I have been registering MR,MX and MX in each brach without problems.

 

But we are a Financial Institution and we have to be aware about our firewall rules. And we deployed more than 100 branches with the NTP bloking in our Upstream Firewall. But now this is the issue bc MS cannot connect to the principal cluster in USA. So it tries to establish the M-Tunnel against the secondary cluster and to acompplish this M-tunnel needs NTP and It`s the port that we have deny in our firewall....

The issue now is that we cannot perform a rule to permit NTP with any any entries bc We are a bank. So we will try to modify our DNS entries to simulate a DNS Poisoning to resolve an internal NTP to the domain that MS tries to resolve the URL that uses to get NTP services....

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA

View solution in original post

8 Replies 8
rhbirkelund
Kind of a big deal
Kind of a big deal

How long have you been allowing it to come online? If it's fresh out of the box, it could be performing initial firmware upgrade.
Also sometimes you might need to refresh the dashbord page (Press F5 or Ctrl+R), before you can see it online.
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Johnfnadez
Building a reputation

Yes actually I have been trying for hours.

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
GIdenJoe
Kind of a big deal
Kind of a big deal

From your end you could try a factory reset with the pin in hole solution for 20 seconds.  Sometimes that retries the whole process that could have been stuck.

If that doesn't work then you'll need to open a case and the Meraki support agent will change some backend parameters and the switches will magically work 🙂

PhilipDAth
Kind of a big deal
Kind of a big deal

I've had this incredibly frustrating experience as well.  I've had times where it seems to take a couple of hours to come online.  And when you are the one onsite trying to bring everything up - stressful.

 

The initial firmware upgrade is difficult to cope with as an IT person.  So often I have seen engineers who are on site say it isn't working and power cycle/factory reset the MS - when in fact it was part way through the firmware upgrade process - and the result of their actions is that the whole process starts again - which to them re-affirms there is a problem.

 

These days before we deploy an MS we plug it in at our office at least 24 hours before we deploy it in the field.  And we leave it there.  No one touches it.  If you aren't watching or waiting for it then no one is tempted to restart or mess with it.

 

 

If you can see two-way communication between the MS and the cloud and nothing is being blocked on the MX - try leaving it for a day.  Make sure you can see successful DNS traffic, and that the two-way communication is actually exchanging data (and not just SYN packets and the like),

If you have already done a factory reset - raise a support ticket.

Adam-Baxter
Here to help

As you  know anything cloud based , we have always provide 24-48 hrs of up time in office workbench to make certain it is seen in the cloud for management in cloud and customer profiling.  Being an MSP, Assuring nothing is bricked needing a ticket created and is provisioned correctly to suite.

QLSteve
Getting noticed

Great advice on letting devices 'sit' a day before assuming something is wrong and making it worse.

Johnfnadez
Building a reputation

Hi @PhilipDAth 

 

I been working with Meraki Support and We can confirm tht there`s two-way traffic and that we have all the Firewall Rules in my upstream firewall. But when we started to deploy meraki branches (1 year ago till now) I have been registering MR,MX and MX in each brach without problems.

 

But we are a Financial Institution and we have to be aware about our firewall rules. And we deployed more than 100 branches with the NTP bloking in our Upstream Firewall. But now this is the issue bc MS cannot connect to the principal cluster in USA. So it tries to establish the M-Tunnel against the secondary cluster and to acompplish this M-tunnel needs NTP and It`s the port that we have deny in our firewall....

The issue now is that we cannot perform a rule to permit NTP with any any entries bc We are a bank. So we will try to modify our DNS entries to simulate a DNS Poisoning to resolve an internal NTP to the domain that MS tries to resolve the URL that uses to get NTP services....

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
JamesFlorance
Here to help

Are you using an SFP?

Get notified when there are additional replies to this discussion.