>IF I were to add it to a network would I be able to delete from that network and then unclaim without any problem.   Yes you can.  Well done on getting this far.  It's quite a big learning curve!   You can find instructions on how to remove devices here: https://documentation.meraki.com/General_Administration/Inventory_and_Devices/Adding_and_Removing_Devices_from_Dashboard_Networks#Removing_Devices_from_Networks ... View more

A further update - my issue turned out to be time synchronisation on the VMX.  It was too far out from the SAML provider.   Just in case anyone else runs into this issue, about once a year when running in Amazon AWS, I see this event: msg: SAML: Assertion is expired or not valid   The VMX and the SAML provider have to have their time synchronised to within 3 minutes of each other.  Anymore than that, and you get the above error.  When the VMX runs in Amazon it seems to source its time from the host (rather than NTP). The solution to fix the issue to to shutdown the VMX and then start it again.  This moves you to a new host, which 99.999% of the time has the correct time. ... View more

UTC is quite handy when you are getting notifications from multiple countries. ... View more

I tried 18.211.5 and found it broke AnyConnect with SAML authentication.  I have had to roll back. ... View more

Wow!  That was a lot of work. ... View more

99.9%, this means you have a layer 2 loop.  This switch has 2 (or more connections) to whatever connects to this port.  It could also have a loop indirectly via another device (especially in a switch static, but not exclusively so). ... View more

Several thoughts.   1. You could get the SOC to monitor the APs and the firewall.  Then they'll be able to see clients. 2. You are probably using SSID NAT mode.  If you create a dedicated VLAN for guests, and bridge the SSID to that VLAN they'll be able to see the individual clients on the firewall. ... View more

I think I found it! https://developer.cisco.com/meraki/api-v1/get-network-appliance-connectivity-monitoring-destinations/   https://developer.cisco.com/meraki/api-v1/update-network-appliance-connectivity-monitoring-destinations/   ... View more

I can't see any API for this either. ... View more

You deserve double kudos for that.  I can only see a wall of text. ... View more

What about forgetting about using L7 for this and converting those L7 rules to L3 rules?  You can create FQDN rules. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewall_Rules   ... View more

Is it coming from a single country, that you want nothing to do with?   If so, you could try creating a L7 firewall rule.  Never tested if it also blocks AnyConnect, but worth a go.   You could also try a L7 firewall rule to block this one IP address. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_a_Layer_7_Firewall_Rule     Another thought - this might mean one of your users machines is compromised, and that a token has been stolen from it, a token that has now expired and is no longer valid. https://techcommunity.microsoft.com/blog/microsoftmechanicsblog/token-theft-protection-with-microsoft-entra-intune-defender-xdr--windows/4265675 ... View more

I haven't had had much luck with the new IKEv2 tunnel feature myself.   https://documentation.meraki.com/MX/Site-to-site_VPN/BGP_routing_over_IPsec_VPN ... View more

I can only think of horribly nasty solutions.  If it was me, I would re-visit the fundamental design and ask questions about what the actual intent is of the requirements.  I would try and engineer a different solution.   Back to the nasty.   I think this *might* be achievable on MR by definfing the *same* SSID but configured to forward to the VLAN on the floor, and then to use SSID availability tagging to only enable the SSID with the matching vlan tags for just the APs on that floor. https://documentation.meraki.com/MR/Other_Topics/SSID_Availability   For example; on SSID-B, create the SSID with forwarding to VLAN201.  Then only apply this SSID to APs on floor 1F. on SSID-B, create the *same* SSID (again) with forwarding to VLAN202.  Then only apply this SSID to APs on floor 12.   The WiFi SSID screen in Merai will show 3 identically configured SSID-A and thee identical SSID-B (aparting from the VLAN forwarding) based on your example.     I did say it was nasty. ... View more

Well; In a VPN concentrator deployment, you only have a single WAN port connected. In a passthrough deployment, the MX acts like a simple layer 2 bridge.  It works inline.  Think of a network where you want a firewall but can't change the IP addressing.  So you might slip this in between the default gateway and the internal devices. I have never done this type of deployment.  I don't like the sound of it.   >It seems that the secondary firewall does not block any ports or interfere with the traffic in this setup.   This is expected behaviour. ... View more

If I understand, all the servers are in a single subnet and VLAN, and the client wants protection from the Internet.   The MX will be fine for this simple use case. ... View more

This is my bet - WiFi clients roaming between APs. ... View more

What model of C9300 do you have, and what IOS-XE version is it running? ... View more

I prefer to minimise the number of SSIDs. ... View more

Old but still a problem (at least a problem I run into).  I would love it if every WiFi device would come with 2.4Ghz and 5Ghz radios, but I don't see this happening in the IoT market, which is trying to manufacture to the lowest price point. ... View more

If the client is failing to detect it needs to connect to a splash page, you'll need to access any http (not https) web site to complete the process.   For example, Windows usually uses: http://www.msftncsi.com/ncsi.txt But any http request will do. ... View more

I concurr. ... View more

I'm with @alemabrahao .  I have had issues with 2.4Ghz only clients (especially IoT devices) that are unable to see the SSID when band steering is enabled (it prevents them from connecting to WiFi all together).  I have gotten sick of dealing with these edge cases, so I rarely use band steering now.   Meraki's documentation specially calls out this issue: https://documentation.meraki.com/MR/Radio_Settings/Band_Steering "When band steering is enabled on an SSID, APs will stop advertising that SSID in 2.4 GHz beacons. Since 2.4 GHz-only clients that rely on a passive scan will not “see” that SSID in beacons, they might not be able to join this SSID unless they do an active scan or have been pre-configured with the SSID name and security settings (for example, a pre-shared key)." ... View more

This getting started guide might be easier to follow. https://documentation.meraki.com/Getting_Started_with_Meraki/Getting_Started_Resources/Getting_Started_Checklist   ... View more

This article contains instructions on both claiming and unclaiming devices. https://documentation.meraki.com/General_Administration/Inventory_and_Devices/Using_the_Organization_Inventory   After adding the device to your inventory, you all need to add it to a network to be sure.  The above link also includes instructions on how to do this. ... View more