As for the MX-68 connection at the spoke location, it is plugged into a 1Gb port on the MS120 there and it is reporting 1Gbps (no SPF on MX-68):   It's only people at the spoke (and AnyConnect users but I'm just trying to tackle one problem at a time) location who are seeing the terrible file copy speeds from/to Servers at the HUB. At the HUB, everything is working fine on the LAN 400-500MB/s file copy speeds:   ^ File copy from server to client on the LAN at the HUB. I use this same server for all testing.  ... View more

Would be happy to but unfortunately I'm not exactly sure how. I know how to run Wireshark etc, but to grab the handshake...not sure when that happens. Should I start the capture then just do the usual copy and paste from Hub Server to Spoke client and let it run for a minute? Or does the handshake happen when the client comes online to the network? ... View more

No, I know....sorry, just exasperated...I do truly appreciate you all helping me out here...   No, I disabled IPv6 long ago as same as you, it seemed to be causing much more trouble than it was worth (especially since we are a small shop).  ... View more

Agree, wireshark is a great tool and one of the many we used on our Hours-long debugging session with ATT&Meraki. We used both the built-in packet capture and I already had Wireshark on the machine I was debugging with and I sent many a pcaps their way.  ... View more

Sorry, but I'm not sure I understand...are you saying the ethernet cables might be bad? At the Hub site I have the MX-95 going to one of the MS125 switches via SPF and it is reporting 10G:   (this is the LAN side) ... View more

Thanks but I have tried every feasible MTU setting possible from 1 to 65500 including verifying what the MTU should be for the networks by pinging with various sizes until getting the "correct" number by subtracting from ping -l 1500 until getting response.  ... View more

Thanks for the reply, but I have tried every single suggestion I could find on the internet (I have literally been trying to solve this issue for 11 months now) including all kinds of different MTU's, changing many registry settings (including disabling throttling which is mentioned in the Microsoft "slow SMB" article (along with the rest of the suggestions in there) among many others.    I don't understand why people don't believe me, but I swear to Woz I have tried everything I could find via many, many google, stack exchange, reddit, posts and searches.  ... View more

Yes, good point indeed that the iperf traffic lends to it not just being SMB. I have the highest tier available with Meraki/Umbrella through ATT hoping it would make my life easier. I remember seeing the Thousand eyes advert when we first started, but I no longer see it anywhere. Does that require installing a client on all of the machines on the LAN? I really wish there was some sort of tool that would isolate what the issue is; on the LAN, everything works fine, it is just when the data has to travel the 400+ miles to the spoke where the speeds become untenable. All network and speed/resource monitoring show very little use so it's not like things are clogged up with traffic...I don't understand it at all.  ... View more

Interestingly, I went down on Friday and hooked up the MPLS connection. Guess what? Exact same speeds...Currently looking for a very tall bridge nearby (to throw equipment off of of course). I don't understand because the ESXi hosts are all very powerful and each server has 32GB RAM and 10G connection; resource monitors hardly show any usage on the servers and it is a small shop; 10 people on the LAN, 7-8 people on the Spoke (which is 400 miles away). Monitoring the network usage shows very little usage so it's not like connections are saturated; again small setup so not a lot of traffic, and it is only ever the traffic going to the spoke that has the issue (well, and AnyConnect VPN users see the same slow speeds). On the LAN, speeds are fast as expected and there are no issues at all...   Thanks again for the reply.. ... View more

Thanks for the reply. Interesting thought on Thousand eyes trial. I think you are right, though, the issue is somewhere else. I went down to the spoke location on Friday and turned on the MPLS connection. Guess what? I get the exact same SMB file copy speeds as I was getting over the SD-Wan connection (!). This is really blowing my mind...The Windows servers are running on Very powerful blade severs with 32GB RAM 8 core 2 socket Intel(R) Xeon(R) Silver 4215R CPU @ 3.20GHz 10GB ethernet connection plugged in to a 40GB MS425 which has a network health score of 100%.  What blows my mind even more is that file copy speeds etc. are all normal/as expected on the LAN. it is only when the traffic is going to the spoke that it seems to be a problem (now via either SD-Wan or MPLS). I remember reading years ago a story about there being a network issue at exactly 500> miles from the server. Wonder if this is something similar (though doesn't seem like it should be if other protocols don't seem to be affected). Also, that is a good point about iperf; hints that it isn't just SMB; but I have tried sftp etc and got normal speeds...   I remember seeing the Thousand Eyes trial in the interface but I don't see it anymore. Does it require installing clients on all of the machines do you know?   Thanks again for the response.  ... View more

I wish I saw the same results but I spent days and days trying to get it working well. If you search google for "SD-Wan SMB slow performance", you will see I'm not alone. Not sure why it works well for some but not others but I was essentially left with no choice when Meraki support said it was expected behavior and closed the ticket 😕 ... View more

Thanks. For SD-Wan we have Fiber from Verizon and Cable from Comcast both 1+Gig speeds. The MPLS is Comcast too but they use their own fiber. Believe me, I wish like hell I did not have to shell out for the MPLS connection but I just could not get the necessary performance out of the SMB/SD-Wan connection to be practical.  ... View more

@RaphaeIL wrote: You were lied to. @MartinS wrote: Yea who told you that @from_afar ? I was told by ATT support and Meraki support (multiple tiers). There are a ton of posts in my profile of attempts to solve the issue with help from here https://community.meraki.com/t5/user/viewprofilepage/user-id/102579 e.g. this post but the end result was that after literal days of testing with iperf etc I could not get any files to copy form the Hub to the Spoke any faster than ~5mbps despite fiber connections and full-speed 1Gb + speed test results. I spent an entire afternoon on the phone with ATT support (whom we are leasing Meraki from) who got Meraki support on the phone (up through several tiers) and we connected/disconnected/tested for HOURS. If you search google for "SD-Wan slow SMB" you will get a million results. Among those is something "official" the Meraki rep referenced that said that it was a protocol issue with SMB/SD-Wan and the the performance I was seeing was "expected behavior".    Believe me, I wish I was wrong but I could not find a solution after months of trying. Stuff like http/s, dns, etc. all work and perform fine over the SD-Wan connection, but SMB file copy speeds are abysmal (our users use software on their machines that load files from the server at the Hub and the speeds are so slow the applications because unusable). As a temporary workaround, I had to create a remote desktop session host, install the software on there, and have the users do their work that way. Going that route, performance was fine.    But trying to copy a file from hub to spoke (just standard windows explorer right-click copy/paste) you could see the files just creeping along never more than 5MB/s but typically floats back and forth between 1.0MB/s and 3.5MB/s. Still doing it to this day (just checked; 2 +hours for a 1Gig file).  ... View more

We are Paying for Umbrella SIG Advantage. https://documentation.meraki.com/MX/Site-to-site_VPN/MX_and_Umbrella_SIG_IPSec_Tunnel but it is not configured as mentioned because we need to keep static IP addresses. We were going to test this functionality, but never did get that far (AT&T will just stop replying to tickets and it's been 9 months of torture trying to get them to help get this all working). From what I read in that article, it seems like it indeed will change our Public IP which is something we can't do. (Technically it is partially configured, they created the tunnel but it is not established or up and running). That said, I do have Intelligent Proxy and SSL decryption enabled on all of our policies and all Secure Clients have Umbrella installed and enabled. As far as I understand, though, the firewall policies in Umbrella won't have any affect without the Tunnel up and running hence the all are registering 0 hits over the last 30 days).  I was kind of hoping that in the interim I could use the built-in Meraki firewall rules to at least get some cover for an upcoming audit, but it only seems to be applying to the SD-Wan users and users connecting via Secure Client, the rest of the users on the LAN aren't affected by these settings as far as I can tell (tested by trying to get to an external http service I have running on an unconventional port out on DigitalOcean; I can reach it fine on the LAN despite there being no "allow" rule for this port but when connected via Secure Client and or on the SD-Wan network, I cannot access the site indeed).  ... View more

Unfortunately, we are leasing everything through AT&T so that is where I'm supposed to get support (they haven't been very helpful to put it mildly). I have had other Meraki Employees here seem to be able to get in and view our setup before, can you not?  ... View more

Thanks for the excellent and thorough reply.    Unfortunately, we purchased Meraki/Umbrella through AT&T so I don't have full admin access to stuff. Additionally, they have be absolutely abysmal with help getting things set up. It's been almost a year, and still things are not functioning correctly and it's quite expensive. I just wish expensive enough to get a lawyer to see if we could get out of the contract. This is why I'm trying to learn/do this stuff myself (the whole point was to offload this kind of work so that I could focus on other things and be assured that things are configured correctly).    @GreenMan wrote: I would certainly be pushing your SaaS providers as to why they still insist on this though, TBH.  This isn't due to SaaS providers, we work in Financial Services which requires us to log in to many financial accounts on behalf of our clients. We get initial permissions and things set up and then try our hardest to keep things running without having to keep bothering our clients. If we are constantly losing our MFA tokens etc. we would be having to bother them constantly or at least every time we tried to log in and the user appeared to be coming from a new/different WAN IP address. We are a service business so keeping our clients happy is key hence we try to consolidate all of our traffic (and have been for years) partly for this reason. The other as you mentioned is it makes it easier to consolidate monitoring and security management.   I wish I understood enough what the differences are in what we are using vs what you mentioned. I do have Intelligent Proxy and SSL decryption enabled on our policies and we are using Cisco Secure Connect and Umbrella is active and enabled on all of the clients. I don't understand, though, how this fits in with the firewall configuration. It looks like you may be referring to where a tunnel is set up and traffic is tunneled offsite to SIG as explained here: https://documentation.meraki.com/MX/Site-to-site_VPN/MX_and_Umbrella_SIG_IPSec_Tunnel This seems to confirm that it does indeed change the WAN IP address so not sure how/if this could work for us.  Again, still curious as to if the built-in firewall could at least offer us some protection in the interim, but for whatever reason it still appears to be only affecting users who are connecting via VPN and/or the SD-Wan users.    ... View more

Thanks for the reply.    No, the tunnel is currently off because of the concerns mentioned re: losing WAN IP consistency hence I'm testing the built-in Meraki firewall stuff to see if it would work in place.  We have the full Umbrella suite so we do have Umbrella SIG Advantage and are using DLP and IPS protection, but the Umbrella firewall stuff is not active beyond that (0 hits in the last 30 days).    Not sure what you mean by SIG or Secure Connect...as mentioned, the Meraki firewall rules are applying to users that are VPN'ing in via AnyConnect Secure Connect Client, but are not affecting users on the LAN or SD-Wan.    I have had the rules set for a few hours now and still am experiencing the same thing--LAN/SD-Wan are not being affected by any of the firewall rules (e.g. I have a http service out on the web on a non-standard port that I can reach fine from the LAN/SD-Wan, but if I VPN into the HUB with Cisco Secure Client, while connected, I cannot reach said service). ... View more

Thanks for the reply.   by Idp do you mean identity provider? I have configured Azure SAML for admin login and that seems to work fine:       I can log in to the admin dashboard via Azure.    I have also configured SAML settings in deployment:     and when I "test" that configuration it says it passes.    However, I can't find or see anything that identifies whether or not if a user authenticates via AnyConnect Azure SAML whether or not they will be authenticated to Umbrella and thus can have policies etc. applied to their Azure account.    Does this Idp allow this? Is there somewhere I'm missing where this would get configured?    Appreciate the help.  ... View more

I have had issues before when trying to connect to VPN when multiple people were trying to connect from the same network. I.e. the first connection would work fine, but then when someone else tried to connect from the same WiFi network, that connection would fail. These were Mac's, but it happened on iOS as well. I think Meraki does some magic that doesn't work well when multiple connections are coming from the same location. They probably don't expect that to be normal behavior or something. The only solution I found was to move over to Cisco Secure Client AnyConnect app. ... View more

Thanks. Unfortunately, I'm leasing the system from AT&T which has been an absolute nightmare. As such, Cisco/Meraki just sends me their way and they have been abysmal when trying to get help hence I try to fix things myself first, then come here if I can't.    At any rate, it fixed itself which is frustrating but at least it's fixed.    Thanks for the reply. ... View more