Looking at alternative solutions - could you go wireless?   Failing that, you could consider using VDSL media converters, but if there are a lot of ports, it could get expensive quickly.   If you have Cat3 cabling - VDSL would be the only way to use that cabling. If you have Cat5, you could look at using 100Mb/s only - but personally, I would rather change to WiFi.   I think I would get a cabling company in, get a quote and confirm what kind of cabling is installed. ... View more

>On the Azure side, I am certain I just need to configure 2 VPNs - one pointing to the MX Primary Circuit IP; the other pointing to the MX Secondary Circuit IP.   I give you a 10% chance of getting this to work.  Expect this approach to fail.   As already mentioned, a VMX is the way to go. ... View more

ps. This will depend on your carrier and SIM - but I have never had to touch the PIN number field. ... View more

>The interesting thing is this that this only occurs on eap-tls   Perhaps they haven't been configured to trust the root CA certficate. Perhaps they require a minimum of a SHA2 signed root CA certificate and it is only SHA1 signed.   >what message would be sent after a radius accept message  as I would expect that to be final message   Hard to say.  Could be COA.  Could be an additional or secondary challenge.  Need to check client log to see what it is saying. ... View more

I don't think you are having an actual timeout - I believe one end (either the client or the RADIUS server) is refusing to respond to a message, which looks like a timeout from a packet capture perspective.   But I suspect on either the client or the RADIUS server, there will be additional information. ... View more

How many total devices are you expecting (or planning to allow) to connect?   Depending on the number of devices, I would either run with a single subnet for the whole building, or split the subnets into chunks above and below the mechanical floors.  Failing that, a subnet per floor and enable L3 roaming. https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MR_Wireless/Wireless_Layer_3_Roaming_Best_Practices    If this is an apartment building, I would also consider using WPN, and making each apartment their a separate virtual network. https://documentation.meraki.com/MR/Encryption_and_Authentication/Wi-Fi_Personal_Network_(WPN)      ... View more

What does the event log say on the client?  What reason does it give for disconnecting?   It might be the client is refusing the connection after it is accepted.  Perhaps the client does not like the RADIUS server certificate or something like that. ... View more

If you are a Cisco Partner, you can also find resources in the Merai Partners portal. https://www.merakipartners.com/s/MarketingResources  ... View more

Thanks for joining the community. ... View more

Do you use any SAML providers, such as Cisco Duo or Office 365?  Are you able to enable the password reset function in those?   If you can, then change AnyConnect to also use SAML authentication and that same system. https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Azure_AD_SAML_Configuration  And as a bonus, you will also gain easy MFA capability. ... View more

I don't have a single customer using TXT based authentication.  Can you change to one of the other options? ... View more

I also doubt this is an MX issue ...   But let's try and break the problem down further.  Perhaps next Monday, can you plug the MX circuit directly into the primary MX (this will obviously mean your warm spare is not working).  This will bypass your switch, and a couple fo connections. If the issue still happens, you know it is directly related to the ISP and primary MX (since everything else was not plugged in).   Does the uplink graph in the dashboard show any big traffic flows at this time (perhaps someone is doing a big upload/download).   This is the list of things monitored on the uplink: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failover#Failover_Connectivity_Tests  Ask Meraki support to confirm which event is causing the failover.  Perhaps it is the link going down.  Perhaps the link is staying up, but the tests are failing. ... View more

For local certificate authenticate, you upload a root CA certificate.  The MR will alow anything to authenticate that uses a certificate from that root CA certificate.   It doesn't matter if it is a user or a machine. ... View more

>If understand correctly I will need an separate VNET for the vMXs,   A separate subnet is sufficient.   >a virtual Firewall (here I'm assuming it will be a Azure virtual FW)   I haven't seen anyone else Azure Firewall for this.  Everyone uses network security grounds.   Is your Azure spread across multiple regions?  Another simple option is to just put one (or two) VMXs into each region. ... View more

Wow, that is interesting! ... View more

I don't know - but NAT mode is available for VMX.   If you were keen to do an experiment, you could request another VMX on trial, and do a test deployment, and see what happens. ... View more

This was historically the case.  About 6 months ago the VMX gained support for NAT mode, and Meraki changed it so this is now the default deployment option (bad!!!). https://documentation.meraki.com/MX/Other_Topics/vMX_NAT_Mode_Use_Cases_and_FAQ .   This was done primarily to offer full tunnel client VPN support for VMX.  In NAT mode, a user can VPN in and access the Internet (the VMX will NAT their traffic). HOWEVER, all AutoVPN spoke traffic is also NATed when accessing cloud servers.  The bonus of this is you no longer need to configure any routing in the public cloud - as all traffic (client VPN and AutoVPN) is NATed to the VMX private IP address and appears to come from that IP.   This is a major pain.  Servers CAN NOT access spokes - because the spokes sit behind NAT.  For example, you can't have a server in the cloud send a print job to a printer on-premise over AutoVPN using a VMX in NAT mode (actually I lie - you can make it work, but you have to configure NAT port forwards, just like if you have a physical MX attached to the Internet and wanted to give access to something from the Internet to an internal server - but this is a nasty solution for this use case).   As a consequence of this, I never use NAT mode for VMX.  Also note you can't change this setting post-deployment.  If you want to change it you have to delete the VMX and re-deploy it.     Looping full circle, now you can have a VMX in NAT mode like a "typical" on-premise VMX. Does the VMX support IPS or contenting filtering while running in NAT mode (like its on-premise counterpart)?  I don't know.  I have never used NAT mode on VMX, so have never tested this out.  But I think there is a reasonable chance this will work. ... View more

Thaks for joining the community @eakinj7 . ... View more

Any chance of getting my bug fixed ... https://community.meraki.com/t5/Developers-APIs/Bug-in-asyncio-library-message-is-dict/m-p/207644#M8876  ... View more

Update installed.  🙂 ... View more

You should be able to remove the agent using add/remove programs. ... View more

Thanks for joining the community @Ambrose1 . ... View more

The "V" in "VMX" means virtual - it is an MX.  You typically use the VMX as a VPN concentrator.   Amazon doesn't charge for security groups, used for firewalling, so I am not sure where the cost aspect comes from? ... View more

I have been finding WPA3 unreliable.  I wonder if this might sort it out. ... View more