Agreed, I raised a case with them a while back complaining about the lack of AES on switches, perhaps they've actually implemented my feature request without telling anyone 😄

Though, the ones I 'fixed' yesterday by changing to AES, are now only working on DES.... coming on Meraki/Cisco, what's going on!

I've also noticed our 802.1x on swtiches have broken as well (ticket raised), so god knows what else they've silently changed too!

Whilst writing my previous response, even more switches have gone back to DES........ 😐 - Mind blown!

AND the same thing has happening for me too for the same site that dropped about this time yesterday.

Back to DES now

AND now SNMP uptimes have been reset too - yet my network monitoring didn't show a network drop at all? In fact I saw nothing go offline. But this is royally screwing my metrics and reporting!!!

Support have told me this:

"To clarify why you witnessed a change between AES and DES is due to a backend maintenance change was introduced which caused this issue, which caused your organisation configuration which was set to AES to override your network settings which was set to DES. It was reverted back which is why it went from AES back to DES. I understand this can be quite confusing so I hope my explanation above has addressed your concerns."

I've asked them to give me AES back, on all my sites haha.

We didn't even get that

Greetings,

Thank you for reaching out to Cisco Meraki Technical Support.

You may be encountering an ongoing known issue affecting SNMPv3 which is under active investigation internally.

As part of testing, please change the Organization > Settings >  SNMP privacy mode to DES and verify if SNMP begins responding as normal once again.

Please let me know if you have any questions.

---

By this point we'd already gone in, hit save on all the networks and moved over to AES. Come today, now the same switches which were fixed by moving to AES, are a mixed bag if they work on DES or AES now... Tried the classic, turn it off and on for SNMP, re-save the settings at the network and org level, and still have some devices that are not functional on AES yet are configured to use AES..

What a mess.

We have now ended up down the same path. We'd get rolling SNMP down alerts from devices that were working fine for a bit on AES, then would suddenly stop, you'd test them and they were working on DES again. It's almost like there is something competing to update the configuration, causing it to flip back and forth between AES and DES. DES so far seems to be more stable, but only time will tell.

Hey Community,

I believe this should be resolved now. If you are still seeing more impact, please do let us know via the Support case so we can continue investigating.

Many thanks!

Giac

It was still broken/inconsistent as of a few minutes ago prior to us rolling everything back to DES. When exactly was the fix rolled out?

I can with confidence say it is not resolved. Swapping back to AES, immediately same problems.

Network and org are all set to AES, switch config reports up to date, but 8 out of the 13 switches in that location do not respond on AES and only work on DES..

What do you mean by resolved.... What have you "resolved" exactly?

Have you turned AES back on for us?

Ideally, it would be nice to be able to pick between DES and AES for the switches and the access points... 

At the moment, I'm still seeing everything on DES.

Hey folks, 
My understanding is that where there was a conflict between the org settings and the local settings, the local conflict got overwritten. The configuration should have restored to whatever you have set up on Dashboard.

That is the part that was resolved; you'll still need to ensure that the encryption is aligned between the Dashboard configuration and the SNMP server. 

I'm not quite sure about the AES availability at the moment, as that was somewhat beyond the scope of the bug that was identified. 

Again, if you are seeing any other bizarre behaviour, please ensure you relay it to our Support engineers, so we can have a proper look. 

Many thanks!

Giac

Thanks Giac,

What I find confusing is that in the Org settings, you can enable snmpv3 and provide credentials, and set an encryption layer, but this bares no relevance to the network-wide configurations, where we can't even select what type of encryption we want...

I appreciate you reaching out to us via the forum.

Hey @matts3 ,

Yeah I think that was the root of the problem 😅 The org wide settings should not have had any bearing, and that was the unexpected behaviour we should have squashed. 

Thank you for your patience with this!

Giac

Okay great, so when can we get AES back on our switches for SNMP encryption, because well... AES has been around since 2001, and should be the industry standard.

As we've seen AES can be deployed to the switches for SNMP, why can't we use it??

Way to go!

Great job.

Yeah, it was most definitely not resolved yesterday, and I'm hesitant to burn more time again today with it working on DES. Our response from Meraki support was a bit average, it didn't address the core issue that even when it's set to AES, it's not actually applying to everything. Have requested an update this morning to see if they can advise if it really is resolved now before I spend more time testing AES.

@RossFawcett ,

Could you drop me a DM with the case number please? I'd like to review what happened and hopefully get some improvements in. 

For everyone else, if you are still seeing devices dropping out of monitoring and some inconsistencies on the configuration, it may just be delays in the configuration updating. If the device has not had an opportunity to fetch the config, it would continue to run on the previous until a change occurs. I'm speculating that this may potentially be the cause of more reports popping up. 

Many thanks!

Giac

Hello @GiacomoS , 

In terms of AES128 availability - should this option exist? I am still seeing it in my organization's configuration: 

All is working at the moment, but I am hesitant to change it back to DES - despite the monitoring system in use being set to DES. 

Cheers

I've sent you a DM with the case ID, support seem to be going off on a tangent now.

Can we get some clarification on what exactly "should" work now?

At the org level we can now enable AES, now my understanding was the org level was for when querying the snmp.meraki.com? However, from what has been posted, this AES setting was incorrectly being applied to the network level?

Now the next issue, at the network level, the AES options only show up when you have a switch only network, it does not show up for combined networks. Is this expected? Or is this yet another bug?

As the network level AES setting only showing up for non-combined networks would also be contributing to what we are seeing, as really that means only two out of the 10 or so networks for this customer will ever work with AES at this stage. The rest will only be DES?

TLDR;

1. Org level AES was applying to network level
2. AES settings only show up for non-combined networks
3. Not clear whether AES is available for combined networks (does org level set this or is this DES only?)

Thanks for the follow up! Much appreciated. 

Marking Giac's reply as the solution to this thread, for greater visibility!

Honestly, this whole experience has not been confidence inspiring in terms of Meraki's QA & change control systems which then impacts our gear even when we've not made any changes ourselves.

I've got over $500K USD of this gear in production so far & I'm seriously considering dumbing Meraki for future sites/upgrades.

Is is a staggering realization when you discover other people can and, in fact, did set wrong settings on what are supposed to be "your" switches.