Meraki

Nash · ‎May 29 2020

Do you have any content filtering enabled whatsoever? If you have content filtering enabled, if you look at the event log for the security appliance, do you see content filtering hits? If you see content filtering hits, what groups are they under? Are those groups things you want to continue blacklisting? I've seen the content filter get 'indigestion' and block things it shouldn't have before, but that's usually resolved with a reboot of the MX. If you've done a firmware rollback (from what to what?), then a reboot should have taken place.

Nash · ‎May 28 2020

If adding an additional IP for monitoring doesn't bring it up, you may also need to contact your ISP. Some ISPs will lock static IPs to mac addresses, and take forever to time it the arp table on their device. Unfortunately, using a laptop to troubleshoot can make that timeout process last even longer. Still a very good troubleshooting step!

Nash · ‎May 26 2020

I mean personally? Account recovery can be connected to, in USD, hundreds of thousands to millions of dollars in equipment. I personally have access to close to a couple million USD in equipment and license time. Prioritize safety of the big accounts over inconvenience to somebody with a few hundred bucks in trial equipment. Make it possible but hard. I can spoof a phone number very easily. Many of us get robo-calls on our cellphones with spoofed numbers.

Nash · ‎May 26 2020

Your dashboard account and your device aren't connected like that. Your dashboard account is an account like you'd have on any other web site. You need to look at method 2 on the recovery section here.

Nash · ‎May 23 2020

Hard agree with @MerakiDave about not doing it just to do it. Having done a conversion to PDL, I can tell you that it's very simple to do (and super unreversible). If you need to do PDL, Meraki's resources are great and you should find it pretty clear and easy.

Nash · ‎May 20 2020

@Adam2104 wrote: Regarding your rules not generating hits. Are you saying in the Dashboard? If so, I've found those counters to not be real-time. The logging option on the rule is your best bet. However, I assume that is probably rate-limited to avoid causing a DoS on your own equipment by trying to log too much info too fast. Even regular big Cisco IOS/IOS-XE routers have a logging rate and queue limit. Agreed that they don't seem remotely real-time. I use incrementing counters, after I'm sure I've hit save on my new rule, as a sign of life. Not any way to estimate traffic. If you don't hit save on your new rule, well, the counters don't always show up next to the rule they're actually incrementing on... Which is fine. It's a reminder to save my rules.

Nash · ‎May 19 2020

@MerakiDave wrote: To expand the wireless coverage, I would turn off the wireless on the MX-W and deploy a pair of APs. I would not recommend adding an AP to an MX-W network, that would give you a split wireless configuration, it would be like managing two separate wireless networks, one via the MX-W and the other on the AP, so better to simply use 2 APs. Yeeeep, I have clients who refuse to buy an additional AP, so 2/3 of their office is on actual APs, 1/3 is on the MX-W's SSID. Then they complain about bad performance when, say, walking around the office, because it's two wireless networks that they transition between. It's a bad scene! Either MX + APs, or if you have to, an MX-W. Not both.

Nash · ‎May 19 2020

If you've reached a point where you need a pair of firewalls, is there a specific reason why you wouldn't move to separate APs as well? From a performance aspect, I'd personally recommend separate AP(s) and disable SSIDs on the firewalls. The APs have much nicer wireless bells and whistles.

Nash · ‎May 18 2020

Go to the Site to Site page, and ensure that your client VPN subnet is participating in the site-to-site VPN. 🙂

Nash · ‎Apr 27 2020

I'm not asking for secret sauce. Looks like we cross-posted. I'd like the information more easily accessible. There's an entire document about PCI compliance for MR, for instance.

Nash · ‎Apr 27 2020

@MerakiDave @CameronMoody Could we get a formal KB article from Meraki explaining this aspect of AutoVPN, for handing to auditors who have questions? That blog article doesn't specifically mention Diffie-Hellman from what I can see, and the auditor check list usually asks about DH groups. Or some clarity could be added to this KB article, as AutoVPN is contrasted to the third party tunnels w/o mention of DH. Not stating anything about DH groups is not the same as an explanation of why DH groups are not needed for AutoVPN, when dealing with auditors. Thank you! Edit 9:58 CDT: I am now full of questions. Page 5 of the AutoVPN white paper specifically mentions DH groups. Which is it, please? And could this please be clarified in a KB article? I cannot easily hand a white paper to an auditor without them getting, as it were, annoyed. It's my job to minimally annoy my clients' auditors.

Nash · ‎Apr 17 2020

I'd be delighted to be wrong, but all I'm seeing is getNetworkMerakiAuthUsers (all users) and getNetworkMerakiAuthUser (one user at a time). Nothing to create users or delete them. Creating and updating via API would solve a problem for me, so long as one could authorize for client VPN... My boss would go for a widget that my helpdesk could use. My boss will not go for SAML, for reasons.

Nash · ‎Apr 3 2020

For 756, if your users are comfortable with command prompt, have them try: rasdial /disconnect If still 756, then yes, restart seems the simplest fix for end users. Otherwise they need to learn better habits and disconnect from the VPN when they're done for the day. Uh, regarding RADIUS, iirc it'll try the first server then failover if the first one doesn't respond. Do you have a specific reason to be concerned about load sharing? For routers, are you using an MX to route locally? You should use an L3 switch for that ideally.

Nash · ‎Apr 2 2020

Just here to bang the "follow the standards" drum too. Using the most specific path is so standard that I would not, frankly, ever expect to see a supernet given priority. Not even a special supernet like the one used for templates.

Nash · ‎Mar 31 2020

@S_Ruffell_SBS wrote: Thanks for your reply @CptnCrnch . I feared this may be the answer and suspect that the only way to get VPN clients registered in DNS on the Win server may be to change to forwarding DHCP requests for VPN clients to the Win svr DHCP server. Was hoping to avoid this for other config reasons. I don't believe you can change what acts as the DHCP server for VPN clients. See: ASA where AnyConnect has an ip pool that's defined on the device itself.

Nash · ‎Mar 31 2020

@ArteckMX wrote: Yes I know, they are always playing around, my dog run arround my cats and the three of theme stay calm when I start working. What kind of cat is your cat? The best answer I have is "big and grey". The below is from last week. She was sad because I kept working, instead of petting the very important cat belly.

Nash · ‎Mar 30 2020

Pets are lovely coworkers... when it's voluntary. I hope yours are handling the schedule disruption well. My cat can't decide if she wants to cling or vanish for the entire day. I think she's flipping a coin every morning.

Nash · ‎Mar 26 2020

Agree on collapsing MX and MS per physical site into the same combined network. Meraki recommends putting wireless into the same combined network for that physical location, due to some of the RF math they crunch behind the scenes. That's what my company has gone for. We push SSID changes thru the wonders of API. For moving your switches, keep in mind that they'll lose most settings. It's pretty easy to copy over basic switchport configs. I make no promises here but I used this script when I had to move L2 switches around. (Busy or I'd add better comments... sorry!) I remember it working fairly painlessly. You could grab the idea I used and make it into something that'll do more than one switch at a go. I was only moving four or five switches, so I didn't bother at the time. L3 interfaces, you'll have to recreate. But if these are stores, I'd be willing to bet you haven't got L3 switches everywhere.

Nash · ‎Mar 24 2020

@CGIbs Are your end users telling it to save credentials?

Nash · ‎Mar 23 2020

My office's practice is just remap as FQDN for clients that use the Meraki client VPN. The client VPN doesn't automatically along the DNS suffix. In Windows, you can also try adding a DNS suffix but honestly we just remap. It's too complicated to ask my help desk to set suffixes for 55-odd clients.

Nash · ‎Mar 22 2020

@Roger_Beurskens wrote: @Nash One customer is using your script as a base for their MS Intune always-on client vpn roll-out. The systems admin there just got it going as a full zero-touch rollout to their intune managed laptops. Including split tunneling. Working really great 😄 Thank you!! I'm so glad it helped.

Nash · ‎Mar 22 2020

@PhilipDAth wrote: I've got clients auto-deploying the VPN using group policy in Active Directory. Just create a group policy that runs a powershell script and put it in the scope of a group that you want to auto-deploy the settings to. Then never touch it again. Deploying via GPO would be my dream, but I can't get my systems folks to do that. I only just now got somebody to start trying to do it via RMM... and that's super fun, because he's got to figure out how to make ConnectWise Automate populate the required variables. Wish me luck.

Nash · ‎Mar 19 2020

Routes are persistent. You can absolutely add multiple routes. If you provide instructions, and your end users can follow instructions, you can give them this script if necessary. My partner works with low technical literacy insurance people, and they can all follow instructions to rebuild their VPN connection w a script. Just modify it to NOT be an AllUserConnection as per the comments in my script, so they don't need admin. His instructions include screenshots, but boil down to: Open PowerShell set-executionpolicy -scope process unrestricted -force cd [path to where script lives] ./script_name.ps1 Use desktop shortcut [VPN Name] to connect to VPN.

Nash · ‎Mar 19 2020

You have to touch each PC, but it's otherwise trivial. Create the VPN connection. Then: $ConnectName = 'Saved VPN Name' $Destination = '192.168.100.0/24' Set-VpnConnection -Name $ConnectionName -SplitTunneling $True -AllUserConnection -WA SilentlyContinue Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination Remove -AllUserConnection if it's NOT an -AllUserConnection. The scripts in my sig have this baked in. I do need to update the run-and-done to actually use an array. Figured out how to teach non-programming people how one populates an array, finally.

Nash · ‎Mar 18 2020

You're either going to need to have the ISPs port-forward 500/4500 to your Meraki device, or have them adjust their equip so the WAN IP is on your MX. AKA put it in bridge mode.

About Nash

Nash

Nash King

Community Record

Badges