Meraki

PhilipDAth · ‎Dec 9 2025

I don't know the answer. This is the closest I could find. https://documentation.meraki.com/Platform_Management/SM_-_Endpoint_Management/Operate_and_Maintain/Tags_and_Policies/App_allowing%2F%2Fdenying_list_in_security_policies

PhilipDAth · ‎Dec 9 2025

Make sure your internal network has routes for the client VPN subnet pointing to the MX. This is a hard requirement.

PhilipDAth · ‎Dec 9 2025

Hey team. I want to warn you that this program has onerous legal restrictions (or at least has had in the past) on what you can say, promote, or discuss online (including in any Cisco-owned communities). I couldn't bring myself to sign off on the application in the past.

PhilipDAth · ‎Dec 9 2025

To add to Mloraditch excellent answer, this is because the splash page is hosted and served from a server on the Internet, not from inside your network. Consequently, the RADIUS request comes from the Internet. It is a real pain. Could you use Entra ID authentication instead? https://documentation.meraki.com/Wireless/Design_and_Configure/Configuration_Guides/Encryption_and_Authentication/Microsoft_Entra_ID_Integration_with_Splash_page

PhilipDAth · ‎Dec 9 2025

Ask them to perform the subnet NAT translation on their end.

PhilipDAth · ‎Dec 8 2025

Wow! This is now super compelling.

PhilipDAth · ‎Dec 7 2025

We tried using Systems Manager at the beginning to manage Windows and Android, but it was just too much hard work. Debugging things (especially on Android) was really hard work, and the Windows platform seemed to get no love. We've moved to Intune now.

PhilipDAth · ‎Dec 7 2025

I think I just got this. Are you trying to create a non-Meraki IPSec VPN from the WAN2 interface on the MX? You can't do that. It always uses whatever the primary WAN interface is. On the Fortinet side you can probably configure both VPNs, but only one will be up at a time.

PhilipDAth · ‎Dec 7 2025

Each site will require its own unique subnet range. You'll enable AutoVPN on the MXs to network all the sites together.

PhilipDAth · ‎Dec 7 2025

>Client VPN now supports IKEv2 for establishing connections. Now that is interesting.

PhilipDAth · ‎Dec 4 2025

When you say you are trying to establish a second VPN, I assume you mean to a different Fortinet firewall somewhere else? You can only have a single VPN between a pair of devices.

PhilipDAth · ‎Dec 4 2025

For Chrome, you can configure that setting via Active Directory group policy and Intune via configuration settings. https://chromeenterprise.google/policies/ https://support.google.com/chrome/a/answer/12129062?hl=en

PhilipDAth · ‎Dec 4 2025

Well done @SMAT_jp , @jameslord and @Seenu for your contributions. And thank you to the amazing 12.

PhilipDAth · ‎Dec 4 2025

This post contains the cause of the issue and the solution. https://community.meraki.com/t5/Full-Stack-Network-Wide/Who-is-still-having-an-issue-with-client-names-in-the-Meraki/m-p/282397/highlight/true#M3108

PhilipDAth · ‎Dec 3 2025

I would not connect the MXs to each other either. Just a single connection to the layer 2 domain. RSTP is not sufficient to stop ports being incorrectly blocked. It would help if the MXs supported spanning tree or port channels, but alas they do not.

PhilipDAth · ‎Dec 3 2025

I have most often seen this with Windows' power-saving settings. Has power saving turned the machine's screen off when this is happening?

PhilipDAth · ‎Dec 3 2025

>The only way you are going to be able to do this when not using the hub for all traffic is have the hub point it to something else, a secondary firewall This solution will work. Another solution I have used is to deploy an HAProxy VM that forwards all traffic it receives to the website. Create an internal DNS entry in Active Directory, www.company.com, pointing to the private IP address of the HA Proxy. This causes anyone accessing that website to go via the HA Proxy, and for all of their traffic to appear to come from one IP address. You can do something similar on Windows with: netsh interface portproxy add v4tov4 listenport=443 listenaddress=0.0.0.0 connectaddress=x.x.x.x connectport=443

PhilipDAth · ‎Dec 3 2025

I would not dual-connect an MX to a switch fabric. Use a single connection. What happens is you eventually run into a spanning tree issue and suffer an outage that the extra redundancy was meant to avoid. In other words, the extra complexity causes more outages than it prevents.

PhilipDAth · ‎Dec 3 2025

No. These are the two supported topologies: https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Deployment_Guides/MPLS_Failover_to_Meraki_Auto_VPN https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS At a minimum, you would need to modify the design so that the ELAN is connected directly to the Internet.

PhilipDAth · ‎Dec 2 2025

I didn't know that. Good too know!

PhilipDAth · ‎Dec 2 2025

All of the cameras that support vehicle detection can be used for LPR. The camera detects a vehicle and then sends a message to the LPR system. That LPR system extracts a still of the vehicle and then reads the number plate from that still.

PhilipDAth · ‎Dec 2 2025

Yes. Note that only Entra ID is supported as an external authentication source at this point in time.

PhilipDAth · ‎Dec 1 2025

Thanks for the tip. 🙂

PhilipDAth · ‎Dec 1 2025

Here is an example challenge. Pretend you have not used Cisco Community before. Starting from the home page, tell me how long it takes you to find the "Cisco Workflows" community. https://community.cisco.com/ I have used the Cisco Community. I couldn't find it. I gave up.

PhilipDAth · ‎Dec 1 2025

This is a really long shot - I have had issues with MS12x and MS13x switches intermittently failing to resolve DNS (or taking a long time) on MS 17.2.x code. You could try going back to 16.x, or jumping to 18.x. This is listed in the 18.1.1 MS release notes - but it definitely affects more than just the MS130.

About PhilipDAth

PhilipDAth

Philip D'Ath

Community Record

Badges