@DavidB Did you miss the diagram above? This feature won’t work. Split tunnel mode is being used. Policy is the only method to restrict the requested setup. ... View more

@PentagonSystems Want to make sure you got my last post that someone in support wasn’t happy with?  ... View more

I am still not following. Maybe you could write up a detailed Visio?    you lost me here: MX HUB has firewall rule restricting MX spoke network (192.168.2.1) from vlan 1 in vpn (192.168.1.0/24)  *we only enforce firewall rules on outbound/egress traffic. If your applying policy on a Hub formspoke traffic the rules don’t apply.   Are all firewalls in NAT mode?  Is this split or full tunnel (is the default route button checked on the spoke)?  When you say”in vpn” Are you referring to the yes no toggle button for that sites subnets? Keep in mind this is what adds the subnet to the “crypto map” so it is routable or not.   ... View more

I’m not sure I completely follow the logic, however there are circumstances where you can’t restrict the tunnel but you can restrict the subnets via firewall rules. This is what I would recommend, using site to site firewall rules.   Would there be a reason this approach wouldn’t work?   ... View more

@The_Livingstone By default you NOT going to be able to ping the WAN interface(s) unless you change the ICMP to ANY under firewall rules.    Please call all into our technical support @ 415-432-1000 and they should be able to look at your device and make sure the static IP is assigned. ... View more

You should be able to change the IP from Dashboard in the version your running under security appliance uplink. ... View more

What version of code are you on? ... View more

@PNThat is correct. ... View more

I understood your question. The answer is still the same, if the hack fixes the error your getting that is the only answer I have with the current design/products. I followed up and gave you another option I know will work but requires additional hardware. There may be some other options the other community members can provide using something open-source. ... View more

There is a limitation because internally to the MX the client VPN process is separate from the AutoVPN process and is unable to route between the two. Therefore your not going to be able to route through the same MX when using client VPN to AutoVPN routes in your design.    An option is to have a dedicated MX concentrator in your DMZ. This would allow you to only have one client VPN into your office that would allow you to route through the office for both corp and AWS services. I'm not sure how many clients you have but maybe it could be done with a MX64. I know bringing hardware into the mix isn't always easy but I'm not sure there is any other option this current Meraki design if you do not want to push a registry change. ... View more

You may be running into an issue with step 6 at the link below. I would try to move it to Dropbox and follow the direct file link process on Dropbox website for a test. I am not sure how to do the equivalent on sharepoint. https://documentation.meraki.com/SM/Profiles_and_Settings/Backpack_Setup  ... View more

Is the link http or https? ... View more

Are you providing a link or uploading the file? If your uploading the file are you specifying or autodetecting? ... View more

Your most likely hitting a NAT issue so see this link and search error 809- https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN     Depending on what your trying to accomplish this design may not supported beyond intranet (site to site) traffic. vMX VPN concentrators operating within AWS do not support full tunnel VPN. Your not trying to route out through AWS to internet are you?   Full Tunnel In full tunnel mode all traffic that the branch or remote office does not have another route to is sent to a VPN hub. This is not supported for virtual MX VPN concentrators operating within AWS.     From here: https://documentation.meraki.com/MX-Z/Installation_Guides/vMX100_Setup_Guide_for_Amazon_AWS#Full_Tunnel ... View more

@BlakeRichardsonCan you confirm your using (active directory or my radius server)? We support both.   You can terminate a users session with CoA if your using radius, which is the standard on how all vendors do this using 802.1x/EAP-PEAP (Username/Password). The MX platform does support 802.1x/radius and CoA, however from what your describing your using the built in Windows Active Directory which taps into AD via WMI and reads the logs. This is a unidirectional communication, we can only read the logs when a user logs in and out, there is nothing in that standard that can send back de-authentication events. When you say other vendors support this are you sure your not referring to CoA? When you use LDAP or WMI there aren't any mechanisms from the AD/NPS/Authentication gateway that can be sent back to disassociate a client, thus flip a policy role on the fly.     ... View more

On MV12 Models we will be providing object detection shipping in Spring 2018. Scroll down to Beyond Just Security: https://meraki.cisco.com/products/security-cameras#overview   To be clear there is a difference between recognition and detection. We will be doing detection but no one is using this feature since MV12's are not shipping yet. ... View more

1) Our large route would encompass any subnets that we use for unique subnets Why don't you use OSPF as opposed to static routing? This would allows the headend to advertise only specific routes as opposed to summarizing like mentioned. 2) We have to add interfaces at about half of the sites that binding to a template would restrict us from doing so. Using templates doesn't restrict you from adding interfaces. Maybe your referring to adding VLANs for sites that do not need them? If half the sites have vlans and half don't, create two templates. If you use VLAN templates-Unique you can specify the large summarized subnet and supernet you want to use and then override the subnet at each site(just not the subnet mask you defined in the vlan template. This pushes this back to the cloud and headend to advertise the specific routes used and make sure we don not overlap subnets if creating new sites.    This may be confusing so I can clarify on any of the topics if needed. ... View more

@JoshVanDeraaSorry, no support. There is a push internally via the SE team to get this supported on both WAN and LAN. One of the first challenges we have to on the LAN side is an API call to flip "use a single vlan" to enabled. Quite a few customers opt to use templates, that may ease some pain for you? How many remote sites do you have? ... View more

Looks right to me! ... View more

@SimonReachHere is our SFP document below. What you have is equivalent to a Meraki part number MA-SFP-1GB-LX10 . You can see per that document if your trying to do MMF you need mode conditioning patch cable. I think your path of least resistance is going back to a MMF SFP  on both sides if you have one.     https://meraki.cisco.com/lib/pdf/meraki_datasheet_sfp.pdf   ... View more

sorry @SimonReach I saw you state "the cable is a LC/ST, M/M  that's 1m long" So I assumed you were using a MM patch cable. I would recommend the same SFP and patch cable on both side, you pick either SMF or MM, either should get you the speeds 1/10g the distance your going.   It should* work with SMF SFPs and SM patch cable or MM SFPs and MM patch cable, however we do not support SFPs that are not Meraki branded. ... View more

@MarkusWhich API call are you using to add in a static IP to a MR? ... View more

You have a SM - SFP on both sides with a MM fiber patch cable with no mode conditioning? Have you tried a SM patch connector?   Sounds like this is what you need. https://www.cablesandkits.com/mc/fiber/os2-duplex/fam-13/connectortypes=LC-FC/length=1Meter/ ... View more