Meraki

RaphaelL

Thank god ! Fixed a bug that caused switches to forward some RADIUS requests that included an invalid source MAC address Had this case opened for months. Switchports with CRC errors would forward thousands of "false" MAC and result in a LOT of RADIUS request. Hope this is fixed for good

RaphaelL

For me it has been like that since the new page : We are running 18.107.6 at the moment on this network.

RaphaelL

It has been like that for a little while with the new page however you still can't get that info via API :'(

RaphaelL

SD-WAN is just a buzz word. You are building VPN tunnels over "cheap" WAN links. I manage a very large organization with over 3000 WAN links and 1500 spokes. Everyone is doing SMB over AutoVPN just fine. Although I must agree that SMB hates latency. So if you have 100ms latency over AutoVPN vs 5ms on MPLS of course MPLS is going to outperform your WAN links in that scenario

RaphaelL

Hi , I don't have any MG to confirm that behavior. Are there a lot of networks in that Org ? You could probably list all the networkIds from uplinksLossAndLatency and compare from GetOrganizationNetworks and find the networkId missing between the 2 lists. But even with that info, I do think that you should probably log a case.

RaphaelL

I don't have the answer right away , but why are you not using the Meraki python SDK ?

RaphaelL

You will have a hard time finding that kind of info here. Best suggestion would be to contact your SE or support directly

RaphaelL

I am curious why maybe we could replace this with running BGP on autovpn and BGP between Hub and L3 switch or OSPF ? Yes you could run eBGP between your HUB and L3 switch. Is there some other benefit or is there some scenario where we can get benefit? You won't have to maintain static routes which will become a nightmare if your network scales.

RaphaelL

Hi , I had a case opened 2 years ago about discrepencies for endpoints related to Wireless connections stats. To my surprise this is still the case even after updating my aps to MR30.7.... Eg : From the dashboard I can only see 2 Assoc errors : Same exact epoch time from the API gives me such different results : https://api.meraki.com/api/v1/networks/xxxxxx/wireless/failedConnections?t0=1730347200&t1=1730869200 86 results with more than 10 clients vs 2 results from 2 clients on the dashboard. Has anyone ever had any success with these endpoints ? 😣

RaphaelL

I see 3 suggestions. MX 18.107.10 , MX 18.211.4 , MX 19.1.5 ( latest Stable RC ) I would hope that going back to 18.107.10 would "fix" your issue.

RaphaelL

Do you have the graph to compare before ( MX 18.107 ) and after ( MX 18.211 / 19.1X ) ? The only thing different from my case is that when we disable or whitelist 10/8 from the IPS we see a huge improvement. Device utilization decreases about 10-40% depending on the type of site.

RaphaelL

SD-Wan doesn't work well with SMB You were lied to.

RaphaelL

I don't have a clear solution to that , but I made a post couple weeks ago with all sort of info : https://community.meraki.com/t5/Security-SD-WAN/MX-Device-utilization-degradation-after-upgrading-to-MX-18-2/m-p/249315 It looks similar to your issues.

RaphaelL

Hi , 2 questions 1- Number of "clients" ? 2- Have you tried MX 18.107.10 You can also ask support to show you the advanced metrics. CPU 99% percentile , number of flows , packets per second. It looks like that : I have almost the same issues as described with many MX68. We are exceeding the recommended limit of 50 clients ( but who cares ). With 18.2XX code and 19.X we see a big bump is device utilization.

RaphaelL

Not normal. Are you running recent firmware ? I would try to re-seat the cable in a maintenance window and open a support case

RaphaelL

Your conclusion is correct ! My pleasure !

RaphaelL

Note: In Firmware MX18.101 and newer, the syslog messages for "flows" has been changed to "firewall", "vpn_firewall", "cellular_firewall" or "bridge_anyconnect_client_vpn_firewall" depending on which rule was matched. Using the outbound flow as an example, the syslog message has been updated to this: 948136486.721741837 MX60 firewall src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all Flows = firewall , vpn_firewall , cellular_firewall , bridge_anyconnect_client_vpn_firewall

RaphaelL

Hi , https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration When you configure a L3 firewall rule and check "syslog" it will send a "firewall" syslog. However , it should still send the other syslog message such as ip_flow_start and ip_flow_stop ( end ? ). You could take a packet capture on your spoke site-to-site VPN interface and see what it is being sent.

RaphaelL

Atleast the MX650 will support it. I don't remember if older MX will support it

RaphaelL

Hi , In theory it is possible , how ever Meraki doesn't support it. There are also little to no gain with 802.11r + Open SSID

RaphaelL

Yes , that should also work. There are more than 1 way to achieve your goal

RaphaelL

Hi , I assume you are using a Meraki MX. If so you can configure a global shaping of 100Mbps in the page : SD-WAN & traffic shaping To have some clients ignore the shapping you can create a Group Policy and do the same thing but configure : Ignore bandwidth You can then apply that Group Policy to a VLAN or directly to clients.

RaphaelL

And still, I'm unable to access it How are you trying to access it ? Via Port forwarding / NAT ? Or via it's private LAN IP ?

RaphaelL

Hi , Pretty sure this is expected : https://community.meraki.com/t5/Security-SD-WAN/Security-Center/m-p/252049#M56197 From the thread : This is the Scenario that you are most likely experiencing. Meraki MX appliance received packets from the source IP address from Russia. The packets were copied to the IDS process for further analysis. The IDS flagged the flow as potentially harmful, as it matches the pattern of a known attack vector. Before the IDS could take preemptive action to drop the flow, the Meraki MX's inbound firewall rules had already dropped it As a result of the firewall's prompt action, the IDS process could not apply its own measures, which is why the Meraki Dashboard indicated the action as "Allowed." It is important to note that despite this indication, the flow was effectively blocked by the MX. Key Takeaways: The swift response by the firewall prevented any action from being required on the part of the IDS. An "Allowed" status on the Meraki Dashboard could sometimes mean that the threat was blocked by other security layers, not that the traffic was permitted through the network. Was the flow listed as allowed or blocked ?

RaphaelL

I only have 1 network running with MX 19.1.4 with WAN2 ipv6 enabled and I don't have the issue. My sample is too low to consider this issue not present in 19.1.4. I suggest opening a ticket to support.

About RaphaelL

RaphaelL

Raphael Letourneau

Community Record

Badges