Kinda stumped on this one and hoping someone can point out something obvious I'm missing. I've inherited a network setup and am relatively new to configuring Meraki devices.
The network:
We have 13 physical locations connected by a layer 2 EPL circuit, with our HQ office acting as the hub and primary WAN uplink location, as well as the physical location of our in-house application servers and domain controllers. DCs are handling DHCP and DNS. Each location has an MX device performing routing, all connected by Auto-VPN. (Firewall is not handled by the MXs, we have a separate one that's partnered with a vendor that they control performing the external network security, so all of this is inside the security perimeter.) Each MX is connected to a MS120 switch (except the HQ, which has a 250), and each switch is supporting at least one MR AP. HQ is set as a VPN hub and each site is set as a spoke. HQ is set in passthrough deployment, the spoke sites are all set as routed.
Test site specifics:
MX68, MS120, MR36. WAN is connected to MX which then connects to the MS. MR and all other devices are plugged into the MS, nothing else connects directly to the MX.
The problem:
I'm attempting to create a new SSID VLAN for each site. I've created the VLAN on the MX at my test location and set it with VLAN tagging to the new SSID. The AP's port on the MS switch is set to Trunk, default to native VLAN, and is set to allow all VLANs while I'm testing. DHCP for the VLAN is being relayed to our DC, and it is successfully passing those requests, along with DNS. However, when I connect to the SSID, it gives me no internet connection. The AP cannot ping the connected device, and when I run a traceroute from the connected device to 8.8.8.8, it fails at the first hop (timeout) or gives me Error 1232. The MX itself is able to ping the connected device. So it seems like the traffic isn't getting routed correctly either at the MS or the MR, but I can't find any appropriate settings for this. I was of the understanding that both of those devices should just be passing the info back to the MX, as neither of them can perform real layer 3 routing? Is there something else I should be looking at?
Additional: only this new VLAN isn't working. All of our default traffic and other VLANs are working fine, so it's not any issue inherent to the network. I haven't found any settings where the new VLAN is significantly different from the operating ones, so I have a feeling this is more along the lines of me neglecting to create some kind of static route or similar setting.
Check if the default gateway, subnet mask and DNS are configured correctly in the created DHCP scope.
Is the device getting a proper IP or just settling on a 169.xx.x IP?
Do you have the SSID L3 firewall Local LAN rule set to allow?
It's getting a proper IP and showing the correct local DNS server info. It's also showing on the DHCP leases for the subnet on the domain controller.
SSID L3 firewall rules are set to allow all traffic currently. Eventually I'll be looking to lock those down (including potentially L2 isolation) but I'm leaving them open until I get this sorted.
Have you engaged Meraki Support? With their added visibility into your network they could diagnose the issue better.
I've not as of yet. I'll give them a shot. Although I think I may have figured out the issue. Once I created a source-based default route for the VLAN on the test site's MX, pointing to our HQ's appliance, it started passing all of the traffic to our external firewall. I'm still running into issues from there, but I expect that has more to do with the external's configuration than the Meraki at this point.
Thanks a ton for the help!
You say the Internet is controlled by a separate firewall. Does that have a route for the new VLAN you have created to return the traffic?
Can you see the traffic hitting that firewall? Does that firewall say it is allowing the traffic?
That seems to be where I'm hung up currently. Unfortunately I have to submit changes to that firewall to be added to its management tool by the vendor, so I'm waiting on them to add the new routes.
When I originally opened this thread, it wasn't getting that far - the traffic was failing at the first hop - timing out or responding as host unreachable from 10.128.128.128, so it seemed to be an issue within my internal Meraki network. Setting a source-based route in VPN mode pointing to our HQ's appliance seemed to resolve this though, as traffic is now hitting that non-Meraki external firewall and stopping. So I think I'm good to go as far as the issues I was experiencing on this end.
I appreciate the help!