Backup Cloud Connection not working

Solved
Rudi
Getting noticed

Backup Cloud Connection not working

Hey everyone,

 

So I've deployed my MR-74s and they are working great, other than the connectivity to the Meraki Cloud Dashboard. The Dashboard hasn't updated the new status of the APs for over an hour that they've been up and running now. 

 

I have looked at my firewall, and it is blocking the port 7351 traffic (as intended!). However, the APs should resort to sending 80/443 traffic, which doesn't seem to be the case. Does anyone know if there is a way to force the APs to send their dashboard traffic via http/https? 

 

According to https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Firewall_Rules_for_Cloud_Conne... I shouldn't be required to have firewall holes. 

 

Thanks!

1 Accepted Solution
Rudi
Getting noticed

Ended up opening a ticket with support. 

 

Thank You for the reply.
If You refer to the documentation section which explains what happens in case if You might no be able to configure recommended firewall settings; this is for the backup cloud connection. Please note that backup cloud communication also requires specific IP addresses allowed on the outbound firewall rules. 
Please verify information needed for outbound communication on the dashboard under Help > Firewall info.

 

Was the reply I got after a couple of back and forth e-mails. I'm not sure if the support member I got a hold of entirely understood my question. But we ended up creating some rules in the end on the firewall.

 

Thanks for everyone who offered up assistance.

View solution in original post

5 Replies 5
MerakiDave
Meraki Employee
Meraki Employee

Usually it's plug and play since almost every firewall rule is going to be outbound in nature, unless there's a restrictive firewall ruleset that even blocks outbound traffic.  If outbound UDP/7351 to the Meraki data centers is blocked, that's the primary Meraki Cloud Communications mechanism, and with that blocked the devices (if they're up an running normally) should have fallen back to ports 80/443 to establish a backup cloud controller connection. 

 

Was the AP previously up and running normally using the primary cloud connection and subsequently UDP/7351 was blocked?  I'd consider rebooting the AP and allowing it to proceed through its normal connectivity and health checks to see if it is in fact using the backup cloud connection.  Also run a packet capture on the wired side of the AP and look for traffic on UDP/7351 for example and see if it's matched by any return traffic, as opposed to seeing traffic on 80/443 between the AP and the destination IPs on your FW rules page. 

 

If the weirdness continues, open a ticket with Meraki Support, they'll have some lower level visibility into the pass/fail state of specific firewall tests.  Hope that helps!

Rudi
Getting noticed

We do have a pretty restrictive firewall.

I'm not seeing any traffic on port 80 or 443 coming from the APs, even after a reboot. The APs are sending port 7351 traffic, but it gets blocked trying to get out of the network.

Not sure if there is a time limit that the APs eventually switch to the 80/443 or can I manually force them to use it?

Guessing I should just open a ticket 🙂
MerakiDave
Meraki Employee
Meraki Employee

Agreed let's open a ticket to confirm and they'll have deeper visibility and can confirm the timeout period.  I believe the devices will always proceed through their "normal/preferred" method of establishing cloud connectivity.  There's no way to alter that via Dashboard or the local status/config page, so I don't believe there's a way to force it to use 80/443 by default, that's always going to be considered the backup connection. 

PhilipDAth
Kind of a big deal
Kind of a big deal

I think you should check the local status page on an affected access point and check what it is reporting.

 

It might be a different issue - like DNS not working properly - that just happens to have the same impact.

Rudi
Getting noticed

Ended up opening a ticket with support. 

 

Thank You for the reply.
If You refer to the documentation section which explains what happens in case if You might no be able to configure recommended firewall settings; this is for the backup cloud connection. Please note that backup cloud communication also requires specific IP addresses allowed on the outbound firewall rules. 
Please verify information needed for outbound communication on the dashboard under Help > Firewall info.

 

Was the reply I got after a couple of back and forth e-mails. I'm not sure if the support member I got a hold of entirely understood my question. But we ended up creating some rules in the end on the firewall.

 

Thanks for everyone who offered up assistance.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels