Probably not the most secure approach, but I suspect you could, under "Site-to-site VPN" then, at the bottom, "site-to-site Firewall" set an allow rule for only the computer/client you want to be able to access the VPN resources then block everything else.
... View more
Two things: 1. Are you using the latest drivers straight from Intel? If not, might be worth a shot, to see if it makes a difference. 2. I assume you are using the Meraki Client VPN and not AnyConnect? Have you tried AnyConnect?
... View more
Excellent. I'd have them check CPU usage, as clearly the replacement didn't solve the problem. I went through the same issue, they sent me a new unit, problem continued. I ended up noticing that the interface flaps were happening at the same time that AnyConnect was restarting. I changed the port and then the flaps stopped. When I pointed that out to support, they checked the CPU usage logs and saw that this coincided.
... View more
Do you have any port forwards or anything exposed on the WAN side? I experienced this same issue (all the interfaces flapping) and in my case, it was the CPU spiking to 100%, which was causing a reset of the interfaces. In my case, it was AnyConnect that was getting hammered by bad actors, so I changed what port it was on, which solved the problem. Do you have a case open with support? They can check the CPU usage to see if that's the culprit.
... View more
Site-to-site VPN or Client? As @ww noted, AutoVPN tends to work fine behind NAT/PAT for the most part. Obviously, if it is Client VPN, you'll need port forwards configured as the traffic will never hit the WAN interface of the MX otherwise. On your query about the smaller ISP, yes, if they obtain a block of routable public IP's and the firewall is able to use one of those, no port forwarding would be necessary.
... View more
Check the logs for "ethernet port carrier change" and see if it is just the WAN interface flapping or other ports too. This is what was happening on an MX84 I manage:
... View more
Yes, that does indeed look disabled. See if the problem goes away with the new unit, if it doesn't, I'd investigate this angle more deeply. The flapping I experienced on an MX84 was all active interfaces and was related to AnyConnect getting hammered and not related to the device.
... View more
The Aruba 2920 family also supports 802.3az, which is what is known to cause the flapping. Your ISP router may as well. See if you can disable it on the port that the MX is connected to.
... View more
No problem. As I posted above, both of those switches you are using definitely support 802.3az (EEE), so that's likely the problem. Anything from the Cisco 2960-S family doesn't: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-s-series-switches/data_sheet_c78-726680.html If you scroll down to standards, you'll see that 802.3az is not listed. Lots of them out there, I have a pile of them here.
... View more
Do you have access to an older Cisco switch that for sure doesn't have EEE? I'm using a stack of 2960S's at a client and they definitely don't have it and they are rock solid.
... View more
A number of different connection types, one is wireless (cellular) but was previously on wireless P2P, others are cable and DSL. My 150 option is set to the tftp server I have running at the HO in this system which has the handset configs and phone firmware loads on it. One thing you might want to check is to ensure that there's no firewall rules blocking access from the remote subnets to your TFTP server.
... View more
OK, thank you. There are two things that will cause a flap: 1. 100% CPU spikes, but these, in my experience, flap all the active interfaces 2. Energy Efficient Ethernet being enabled on a non-Meraki switch or router. This is a known issue. What is the make/model of the switch you are using between the ISP and the MX?
... View more
When I had an MX84 hitting 100% and flapping the interfaces, it was all the interfaces that were active. If you are only seeing the WAN interface flap, I'd suspect it isn't a crash, as all should flap under a crash as well.
... View more
If there was no route to your new IP, you'd have no internet on that device. Are these straight-up modems or is it possible that the device got reset and is now in modem/gateway mode? Even if the external routable IP didn't change in that scenario (Appliance Status -> WAN1 would still show the correct external IP) of course the MX would be unreachable, but could still get to the internet. What do you see under Appliance Status -> Uplink -> WAN1 ?
... View more
I had to get the CPU utilization figure from support. In my case, I had all active ports flapping, not just the WAN links, so if you are only seeing it on the WAN side I'd assume the issue isn't the same. Just figured I'd mention it.
... View more
//
//
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_65521c934a3025","feedbackSelector":".InfoMessage"});
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_65521c934a3025_0","feedbackSelector":".InfoMessage"});
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_65521c934a3025_1","feedbackSelector":".InfoMessage"});
LITHIUM.InformationBox({"updateFeedbackEvent":"LITHIUM:updateAjaxFeedback","componentSelector":"#informationbox_65521c934a3025_2","feedbackSelector":".InfoMessage"});
LITHIUM.AutoComplete({"options":{"autosuggestionAvailableInstructionText":"Auto-suggestions available. Use Up and Down arrow keys to navigate.","triggerTextLength":4,"autocompleteInstructionsSelector":"#autocompleteInstructionsText_65521c8d4d59de","updateInputOnSelect":true,"loadingText":"Searching...","emptyText":"No Matches","successText":"Results:","defaultText":"Enter a search word","autosuggestionUnavailableInstructionText":"No suggestions available","disabled":false,"footerContent":[{"scripts":"\n\n;(function($){LITHIUM.Link=function(params){var $doc=$(document);function handler(event){var $link=$(this);var token=$link.data('lia-action-token');if($link.data('lia-ajax')!==true&&token!==undefined){if(event.isPropagationStopped()===false&&event.isImmediatePropagationStopped()===false&&event.isDefaultPrevented()===false){event.stop();var $form=$('