Meraki

Brash · ‎Jul 9 2025

😲 I must have missed those! They don't sound like kind bugs! The first one is the kind of thing you pull your hair out trying to diagnose. We've just moved to 17.2.1.1 at some pilot locations so we'll see how that goes... Was about to upgrade a critical site to 17.2.1.1 to investigate a separate multicast issue but hard nope on that now! I'll take the wait and see approach to this release.

Brash · ‎Jul 8 2025

One thing to note is that most vendors are phasing out L2TP VPN. AnyConnect is a far better and more secure experience. Additionally, Android no longer natively supports L2TP VPN since Android version 12.

Brash · ‎Jul 8 2025

As said above, AVB is not supported on Meraki managed catalyst switches as the feature is not available natively in the Meraki dashboard. My understanding is that it is supported on Catalyst switches in Meraki monitoring mode, or when standalone running IOS-XE.

Brash · ‎Jul 7 2025

As the NPS error indicates, this is due to the introduction of strong mapping for certificates. From memory, the actual change for this is with the update on the domain controller, not the NPS. You will need to look at implementing some sort of strong mapping for certificates and reissuing them. For anything domain joined, newly issued certificates will automatically have the strong mapping. Existing certificates need to be re-issued to have the strong mapping. For Intune SCEP certificates, you need to update your SCEP configuration and reissue certificates For anything else non-domain joined, you need to look at the applicable documentation for what option is best. KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support

Brash · ‎Jul 7 2025

No, the Meraki dashboard will occasionally automatically schedule upgrades. This more commonly occurs if device firmware hasn't been manually kept up-to-date. Network/Org Administrators will receive an email advising of the scheduled upgrade, and you can always reschedule or cancel it from the dashboard before it goes through.

Brash · ‎Jul 7 2025

The 'association' is via Enterprise Application. Meraki have created a template enterprise application called "Cisco Meraki Network Access" Deploying this into your tenant and giving admin consent means that when a user connects to your WiFi with the appropriate SSID configuration, an Entra login screen is shown. The user puts in their email - which will identify the corresponding MS domain/tenant for Meraki backend to connect to and send the auth information through to complete the auth process.

Brash · ‎Jul 7 2025

Try a non-passive twinnax cable if you've got one. My experience of passive twinnax is that they're more prone to CRC's. Other than that, try fiber which is generally more reliable - especially cross vendor.

Brash · ‎Jul 7 2025

As said above, you have essentially two options: - Create a separate SSID for your Playstations that has no splash page - Manually configure the client to bypass the splash page

Brash · ‎Jul 7 2025

What was the Windows version prior to deploying the cumulative updates? As @alemabrahao said, Microsoft introduced additional security measures with 802.1x certificates and NPS. This was introduced last year with an option to ignore but became mandatory earlier this year. Additionally, what are the NPS event logs showing? The error there should give some indication of where to look.

Brash · ‎Jul 3 2025

They are for different use cases. An MX in VPN concentrator mode isn't going to be providing NAT and firewall services for internet-based traffic. It's to terminate SD-WAN connections into a head office/datacentre

Brash · ‎Jul 3 2025

You can't block inbound connection attempts from specific countries to services hosted on the MX. As @cmr mentioned, you would need to sit the MX behind another device that can perform this function.

Brash · ‎Jul 3 2025

Summarizing what's been said above: - Applying L7 geo-blocking firewall rules should block connections to websites of those countries. - If you have any existing connections through the MX, you may need to wait for them to timeout (~5 minutes from memory) before they will be blocked. New connections should be blocked as soon as the MX receives the updated config from the dashboard (~30 seconds). - L7 geo-blocking firewall rules will not block inbound connections into DNAT rules.

Brash · ‎Jul 3 2025

As stated above, the client will attempt to reach the RADIUS server 3 times, each with a 2 second timeout. If there is no reply to these 3 attempts (6 seconds) it will failover to the next server. If the server replies however (as in your case), it is counted as online and therefore no failover will occur.

Brash · ‎Jul 1 2025

Huge congratulations to the community as a whole! Over 2,400 posts and 100 solutions are excellent stats. And Congratulations @DanD - enjoy the AP!

Brash · ‎Jun 30 2025

As stated above, your best bet is to contact support as they can provide more information. A couple of additional things you can do are: - Check the event logs in the Meraki dashboard to see if there's any relevant events for the MX around that time - Download a log dump from the local device admin page of the MX. Support can parse it to get more detail as to the reason for the crash.

Brash · ‎Jun 29 2025

Nice tidy setup. I'm always a big fan of rack mounted MX's. That kit must be pretty secure to be comfortable holding the MX on its side 😄

Brash · ‎Jun 11 2025

Keep it up everyone! Seeing lots of good quality posts.

Brash · ‎Jun 9 2025

You beat me to it 😄 That's a really good amount of points and some decent looking training.

Brash · ‎Jun 9 2025

To add to @BlakeRichardson 's comment, if the old dashboard and the new dashboard are running different versions, you will need to factor in upgrade time which could be up to 30 mins.

Brash · ‎Jun 5 2025

Congratulations everyone! Some really great posts this month! Keep it up! 👍

Brash · ‎Jun 5 2025

Nice! I'm really interested to know where all of the MS130-8 switches went. Were they all to provide PoE and connectivity to the AP's or was there another specific use case for requiring so many 8 port switches? Also, big fan of C9500-24Y4C and C9500-48Y4C switches. They're both very capable core switches.

Brash · ‎Jun 5 2025

I'm not usually a fan of comms racks being mounted against the ceiling, but that one looks like a really clean install. Nice job 👍

Brash · ‎Jun 3 2025

As @rhbirkelund mentioned, check which failback behaviour is configured. As a side note, if your network is assigned to a template, you won't see the explicit and dropdown to change and it will be hard set to graceful.

Brash · ‎Jun 2 2025

The only potential issue is it presents a security risk. Any of the clients on that VLAN will be able to send RADIUS requests to the NPS server which can allow for malicious actions.

Brash · ‎Jun 2 2025

Due to issues under investigation, MX75 and MX85 appliances may encounter unexpected device reboots. Didn't this one get a fix in 19.x? I'm surprised it didn't get backported.

About Brash

Brash

Community Record

Badges