Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About OVERKILL
OVERKILL
Building a reputation
Member since Jul 17, 2020
28 seconds ago
Community Record
117
Posts
65
Kudos
4
Solutions
Badges
04-14-2022
12:28 PM
1 Kudo
Site-to-site VPN or Client? As @ww noted, AutoVPN tends to work fine behind NAT/PAT for the most part. Obviously, if it is Client VPN, you'll need port forwards configured as the traffic will never hit the WAN interface of the MX otherwise. On your query about the smaller ISP, yes, if they obtain a block of routable public IP's and the firewall is able to use one of those, no port forwarding would be necessary.
... View more
04-08-2022
12:03 PM
Check the logs for "ethernet port carrier change" and see if it is just the WAN interface flapping or other ports too. This is what was happening on an MX84 I manage:
... View more
04-08-2022
11:57 AM
1 Kudo
Yes, that does indeed look disabled. See if the problem goes away with the new unit, if it doesn't, I'd investigate this angle more deeply. The flapping I experienced on an MX84 was all active interfaces and was related to AnyConnect getting hammered and not related to the device.
... View more
04-07-2022
12:00 PM
3 Kudos
The Aruba 2920 family also supports 802.3az, which is what is known to cause the flapping. Your ISP router may as well. See if you can disable it on the port that the MX is connected to.
... View more
04-05-2022
08:36 PM
1 Kudo
Yup, same here. I also used nslookup to run it against OpenDNS and it didn't block it either (I use CIRA on my home network).
... View more
04-05-2022
12:21 PM
No problem. As I posted above, both of those switches you are using definitely support 802.3az (EEE), so that's likely the problem. Anything from the Cisco 2960-S family doesn't: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-s-series-switches/data_sheet_c78-726680.html If you scroll down to standards, you'll see that 802.3az is not listed. Lots of them out there, I have a pile of them here.
... View more
04-05-2022
12:17 PM
Just checked the Netgear GS105 and it also supports EEE:
... View more
04-05-2022
12:14 PM
I just checked the SG110 and it supports EEE, so that may be your issue:
... View more
04-05-2022
12:06 PM
Do you have access to an older Cisco switch that for sure doesn't have EEE? I'm using a stack of 2960S's at a client and they definitely don't have it and they are rock solid.
... View more
04-04-2022
07:35 PM
I believe it's the same as whatever it was for the Meraki VPN client, so if that was 500, then that's what it is for AnyConnect.
... View more
04-04-2022
02:09 PM
A number of different connection types, one is wireless (cellular) but was previously on wireless P2P, others are cable and DSL. My 150 option is set to the tftp server I have running at the HO in this system which has the handset configs and phone firmware loads on it. One thing you might want to check is to ensure that there's no firewall rules blocking access from the remote subnets to your TFTP server.
... View more
04-04-2022
01:52 PM
2 Kudos
As long as you have your option 150 set properly in the DHCP server at the remote site, it should just "work", at least mine do.
... View more
04-04-2022
07:44 AM
OK, thank you. There are two things that will cause a flap: 1. 100% CPU spikes, but these, in my experience, flap all the active interfaces 2. Energy Efficient Ethernet being enabled on a non-Meraki switch or router. This is a known issue. What is the make/model of the switch you are using between the ISP and the MX?
... View more
04-03-2022
01:34 PM
When I had an MX84 hitting 100% and flapping the interfaces, it was all the interfaces that were active. If you are only seeing the WAN interface flap, I'd suspect it isn't a crash, as all should flap under a crash as well.
... View more
04-03-2022
10:49 AM
3 Kudos
There's a known issue with Energy Efficient Ethernet being enabled on a non-Meraki switch that will cause flapping.
... View more
04-03-2022
08:59 AM
If there was no route to your new IP, you'd have no internet on that device. Are these straight-up modems or is it possible that the device got reset and is now in modem/gateway mode? Even if the external routable IP didn't change in that scenario (Appliance Status -> WAN1 would still show the correct external IP) of course the MX would be unreachable, but could still get to the internet. What do you see under Appliance Status -> Uplink -> WAN1 ?
... View more
04-02-2022
10:21 AM
I had to get the CPU utilization figure from support. In my case, I had all active ports flapping, not just the WAN links, so if you are only seeing it on the WAN side I'd assume the issue isn't the same. Just figured I'd mention it.
... View more
04-01-2022
03:36 PM
Are other ports on it flapping at the same time or just the WAN port?
... View more
04-01-2022
12:58 PM
May not be germane to your issue but I figure I'd mention it: On a client's MX84 I was seeing frequent flaps of not only both uplinks but also the active LAN ports. Turns out the AnyConnect service was getting hammered by malicious actors and spiking the CPU to 100%, which caused the flap. Moving AnyConnect to a different port solved the problem.
... View more
04-01-2022
12:54 PM
3 Kudos
This would be something to bring up with Cisco directly, not Meraki, as the AnyConnect client is really more ported to Meraki rather than it being a development platform. If you have an AnyConnect license, you can submit a ticket through the conventional Cisco TAC support channel.
... View more
04-01-2022
12:44 PM
2 Kudos
Not the final photo, but started colour coding with the proper length cables the links at a client's site (everything was blue, EVERYTHING). Orange are uplinks, purple is voice, red is a managed service. The trendnet is no longer there. Not shown is the stack of 2960S's also colour coded.
... View more
03-24-2022
04:56 PM
1 Kudo
As long as you have access to both pieces of equipment, it's pretty easy to setup. I've got a couple different pieces of hardware with a VPN tunnel landing on an MX84, one is a Sonicwall, the other is an ISR and the setup was very straight-forward.
... View more
03-24-2022
06:40 AM
1 Kudo
Then yes, a site-to-site sounds more practical here.
... View more
03-23-2022
12:06 PM
1 Kudo
Should definitely not be causing drops. How frequent are we talking here? It sounds like it is frequent enough that you've considered site-to-site, what's securing those other sites presently?
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 441 | 04-14-2022 12:28 PM | |
| 3015 | 04-03-2022 10:49 AM | |
| 1264 | 03-21-2022 03:24 PM | |
| 1391 | 07-18-2021 08:54 PM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 6 | 451 | |
| 4 | 1468 | |
| 3 | 192 | |
| 3 | 409 | |
| 3 | 2727 |
