Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About OVERKILL
OVERKILL
Building a reputation
Member since Jul 17, 2020
yesterday
Community Record
124
Posts
68
Kudos
4
Solutions
Badges
Apr 22 2022
11:47 AM
Any reason you aren't using AnyConnect?
... View more
Apr 19 2022
11:52 AM
Probably not the most secure approach, but I suspect you could, under "Site-to-site VPN" then, at the bottom, "site-to-site Firewall" set an allow rule for only the computer/client you want to be able to access the VPN resources then block everything else.
... View more
Apr 17 2022
8:42 PM
Two things: 1. Are you using the latest drivers straight from Intel? If not, might be worth a shot, to see if it makes a difference. 2. I assume you are using the Meraki Client VPN and not AnyConnect? Have you tried AnyConnect?
... View more
Apr 14 2022
12:40 PM
1 Kudo
Excellent. I'd have them check CPU usage, as clearly the replacement didn't solve the problem. I went through the same issue, they sent me a new unit, problem continued. I ended up noticing that the interface flaps were happening at the same time that AnyConnect was restarting. I changed the port and then the flaps stopped. When I pointed that out to support, they checked the CPU usage logs and saw that this coincided.
... View more
Apr 14 2022
12:34 PM
1 Kudo
Do you have any port forwards or anything exposed on the WAN side? I experienced this same issue (all the interfaces flapping) and in my case, it was the CPU spiking to 100%, which was causing a reset of the interfaces. In my case, it was AnyConnect that was getting hammered by bad actors, so I changed what port it was on, which solved the problem. Do you have a case open with support? They can check the CPU usage to see if that's the culprit.
... View more
Apr 14 2022
12:28 PM
1 Kudo
Site-to-site VPN or Client? As @ww noted, AutoVPN tends to work fine behind NAT/PAT for the most part. Obviously, if it is Client VPN, you'll need port forwards configured as the traffic will never hit the WAN interface of the MX otherwise. On your query about the smaller ISP, yes, if they obtain a block of routable public IP's and the firewall is able to use one of those, no port forwarding would be necessary.
... View more
Apr 8 2022
12:03 PM
Check the logs for "ethernet port carrier change" and see if it is just the WAN interface flapping or other ports too. This is what was happening on an MX84 I manage:
... View more
Apr 8 2022
11:57 AM
1 Kudo
Yes, that does indeed look disabled. See if the problem goes away with the new unit, if it doesn't, I'd investigate this angle more deeply. The flapping I experienced on an MX84 was all active interfaces and was related to AnyConnect getting hammered and not related to the device.
... View more
Apr 7 2022
12:00 PM
3 Kudos
The Aruba 2920 family also supports 802.3az, which is what is known to cause the flapping. Your ISP router may as well. See if you can disable it on the port that the MX is connected to.
... View more
Apr 5 2022
8:36 PM
1 Kudo
Yup, same here. I also used nslookup to run it against OpenDNS and it didn't block it either (I use CIRA on my home network).
... View more
Apr 5 2022
12:21 PM
No problem. As I posted above, both of those switches you are using definitely support 802.3az (EEE), so that's likely the problem. Anything from the Cisco 2960-S family doesn't: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-s-series-switches/data_sheet_c78-726680.html If you scroll down to standards, you'll see that 802.3az is not listed. Lots of them out there, I have a pile of them here.
... View more
Apr 5 2022
12:17 PM
Just checked the Netgear GS105 and it also supports EEE:
... View more
Apr 5 2022
12:14 PM
I just checked the SG110 and it supports EEE, so that may be your issue:
... View more
Apr 5 2022
12:06 PM
Do you have access to an older Cisco switch that for sure doesn't have EEE? I'm using a stack of 2960S's at a client and they definitely don't have it and they are rock solid.
... View more
Apr 4 2022
7:35 PM
I believe it's the same as whatever it was for the Meraki VPN client, so if that was 500, then that's what it is for AnyConnect.
... View more
Apr 4 2022
2:09 PM
A number of different connection types, one is wireless (cellular) but was previously on wireless P2P, others are cable and DSL. My 150 option is set to the tftp server I have running at the HO in this system which has the handset configs and phone firmware loads on it. One thing you might want to check is to ensure that there's no firewall rules blocking access from the remote subnets to your TFTP server.
... View more
Apr 4 2022
1:52 PM
2 Kudos
As long as you have your option 150 set properly in the DHCP server at the remote site, it should just "work", at least mine do.
... View more
Apr 4 2022
7:44 AM
OK, thank you. There are two things that will cause a flap: 1. 100% CPU spikes, but these, in my experience, flap all the active interfaces 2. Energy Efficient Ethernet being enabled on a non-Meraki switch or router. This is a known issue. What is the make/model of the switch you are using between the ISP and the MX?
... View more
Apr 3 2022
1:34 PM
When I had an MX84 hitting 100% and flapping the interfaces, it was all the interfaces that were active. If you are only seeing the WAN interface flap, I'd suspect it isn't a crash, as all should flap under a crash as well.
... View more
Apr 3 2022
10:49 AM
3 Kudos
There's a known issue with Energy Efficient Ethernet being enabled on a non-Meraki switch that will cause flapping.
... View more
Apr 3 2022
8:59 AM
If there was no route to your new IP, you'd have no internet on that device. Are these straight-up modems or is it possible that the device got reset and is now in modem/gateway mode? Even if the external routable IP didn't change in that scenario (Appliance Status -> WAN1 would still show the correct external IP) of course the MX would be unreachable, but could still get to the internet. What do you see under Appliance Status -> Uplink -> WAN1 ?
... View more
Apr 2 2022
10:21 AM
I had to get the CPU utilization figure from support. In my case, I had all active ports flapping, not just the WAN links, so if you are only seeing it on the WAN side I'd assume the issue isn't the same. Just figured I'd mention it.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 1082 | Apr 14 2022 12:28 PM | |
| 5853 | Apr 3 2022 10:49 AM | |
| 2923 | Mar 21 2022 3:24 PM | |
| 2732 | Jul 18 2021 8:54 PM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 6 | 907 | |
| 4 | 3652 | |
| 3 | 658 | |
| 3 | 3108 | |
| 3 | 5565 |
© 2024 Cisco Systems, Inc.
