@redsector wrote: But what I see is that both MXes are spaking with that WAN IP address. Yes, both have a connection to the dashboard. It is completely different compared to for example an ASA where you can configure it with only one usable public IP. ... View more

This is not how MX HA works. Both units need individual connections to the internet, you can not share one IP on both appliances. Two/three solutions come to mind: 1) use a separate IP for the second MX 2) Use a different ISP on the spare MX, that could be e simple LTE-router just for dashboard connectivity, and in case of primary MX failure, you connect the primary ISP to the second MX 3)  Use the second MX as a cold spare ... View more

As a test, can you change the printer from plain SMTP to SUBMISSION (tcp/587 with username/password)? ... View more

Does that mean you are using the roaming-client or the AnyConnect roaming module on the PCs? Are the wireless and wired clients using the same policy and Domain-config?   Also, go to Activity search in the Umbrella Dashboard and search for your internal Domain name. If it shows up, the domain-management is configured incorrectly. ... View more

Did you change your Umbrella-Setup recently? And who sends the DNS-requests to Umbrella? The client, the MX, a VA? I would first look at the Umbrella dashboard and/or the MX-Umbrella-config if your domain names (the domains that should be processed by your DNS) are configured correctly.  ... View more

- Do the WLAN clients receive the right DNS-server? - Is it only DNS and the rest is working as expected? If nothing works, Did you perhaps forgot to allow the WLAN clients access to local LAN under Wireless -> Firewall? ... View more

A default route is always 0.0.0.0/0 and not /24. What is your topology. The other gateway is connected to a LAN-Port and not the WAN port? In general, the Internet should be connected to WAN. ... View more

Yes, that was a faulty assumption. Content-filtering is not done when the traffic reaches the MX over the VPN-Tunnel. Best solution (IMO): Deploy Cisco Umbrella to the branches and configure Content-filtering there. ... View more

@Cain wrote: Indeed this is my current work around.  I have a webhook that fires off a Python script that modifies the layer 7 rules when the WAN link changes. Do you have a blog? Would be worth publishing your solution. ... View more

If you have some dollars of the budget left, look at Cisco Umbrella. In my experience, the Blocking of inappropriate content is more powerful than the MX-built-in content filter. ... View more

Never used them myself, but have heard good things about http://www.acceltex.com/skins/ ... View more

Sounds good, I would also expect that it will work. When adding the route to the router/firewall, make sure that this device is able to "hairpin" the traffic. For example, a Cisco ASA would not do that without dirty config. ... View more

The approach of configuring a 192.168.0.0 network on Site B can not work. That would be L2 bridging which is not available on the MX and in most cases not a good solution.   There should be no difference in the VPN connectivity of dual-armed vs. one-armed. Is it only the VPN-connection that is failing or also the connection to the VPN registry?   Have you done any changes at the site1 MX? Is there any config for the 192.168.10.0 in MX1? That could be a problem. ... View more

But if two systems are synchronized or one replicates to the other, then we can not call this a backup. If the dashboard config gets screwed up, the switch will be screwed up seconds later automatically. ... View more

I do not think that there are general best practices. But there are different goals that a hotel could have. Some want to make money with the WLAN, some want to provide best guest experience. As a traveler, I of course prefer the second goal. If your local rights allow this, I would go for the "click through" splash page. The guest has to accept an "acceptable use policy" and is connected to the internet. That is very convenient for the guest. ... View more

As always: "it depends". Best you go through all the possibilities that you have with Meraki-Splash-pages and pick the one that fits your need. Here are some documents to start: https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Splash_Page https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Customizing_the_Splash_Page https://documentation.meraki.com/MR/MR_Splash_Page/Splash_Page_Details_for_Meraki_MR ... View more

Not the way that you have an FMC and FTP managed by the Meraki-Cloud. For having *one* cloud-managed solution, the Cisco Defense Orchestrator (CDO) is the Cisco solution. But it is likely that it does not fit your needs (yet). But you still can manage the FTD/ASA locally. Yes, I also do not really like that, but for now, it is IMO the only usable way. ... View more

Actually, the possibilities are highly limited here. The traffic from VPN-clients is subject to the L3 firewall, but for your use-case, you would need differentiated access. And as we can not apply group-policies via RADIUS for VPN-users as it is possible with wireless users, all clients are treated the same. I really hope for more possibilities with the coming AnyConnect support.   How do I solve this problem? Nearly all my Meraki implementations have an additional ASA for all Client- and external S2S VPNs. A cheap Firepower 1010 is very often enough here. ... View more