What happens if you do not specify DNSSuffix? I've never had to do that for my clients, assuming I had DNS configured correctly on the MX Client VPN page. In full disclosure, my clients only ever have one local domain in their AD setup. ... View more

Could you share a sanitized version of your add-vpnconnection? What DNS settings do you have under Client VPN on your MX?   We set the internal DNS under the Client VPN screen in the MX, seen here with decorative black boxes and rando client VPN subnet:     Then I configure the VPN on the end user's device using a script that contains the following:   Add-VpnConnection - Name $ConnectionName - ServerAddress $ServerAddress - AllUserConnection - TunnelType L2tp - L2tpPsk $PresharedKey - AuthenticationMethod Pap - EncryptionLevel Optional - Force - WA SilentlyContinue   (Full scripts in GitHub.) ... View more

If you can resolve names correctly from the device and the error lingers for an hour or so, I wouldn't worry too much. I've had it take 90 minutes before. Same with bad gateway.   Like, device passed traffic fine! I could talk to it on the dashboard. It was cool. The error just didn't wanna clear. ... View more

That sounds like your request isn't correct. You could have the URI wrong, or be missing a portion of the header.   Here's a demonstration using the Postman environment from https://postman.meraki.com   When I call GET  {{baseUrl}} /organizations but don't include the key:value pair of "X-Cisco-Meraki-API-Key":{{X-Cisco-Meraki-API-Key}}, I'll get 404.    But if I ensure that my header includes that key:value pair (my API key), then I get a list of orgs that my API key works on. ... View more

Have you considered putting a DHCP reservation on the AppleTV? Or have you tried that already? ... View more

For Windows 7, yes.   For Windows 10, the Network Reset function will also reinstall your network drivers, above and beyond resetting tcp/ip and winsock.  ... View more

If you're using Windows 10, there's also a "Network Reset" function that condenses a number of NIC, TCP/IP and Winsock functions into a single utility. It will reset your NIC(s) to DHCP, so do be warned if you're using a static for some reason. ... View more

Two last things, @cwal21.    Have you run the Network Reset utility in Win10? If you have and it's still broken...   Have you uninstalled and reinstalled the WAN miniadapters? Usually, it's sufficient to only do the L2TP one.   Here's the instructions I gave my help desk:       1. As administrator, open Device Manager.       2. Under View, select Show Hidden Devices:       3. Under Network Adapters, find WAN Miniport (L2TP)       4. Right click and select Uninstall Device. If it asks to uninstall the DRIVERS, click no.         5. Reboot the computer. Windows should automatically reinstall the device.       6. Test the VPN again. ... View more

So you don't find any error codes in Event Viewer. It just dies off?   The "overlay" between the standard Windows 10 method (click on network connector by clock, click VPN, login) is pretty wonky and will not always pass correctly to rasphone. Rasphone's what's doing the dialing at the end of the day.   Suggestions:   Windows-R, run rasphone.exe. Find your saved VPN there. Try to connect with rasphone and see if it goes through.   If it does, you can make a rasphone.exe shortcut. Create a shortcut on your desktop, and set the target to: C:\WINDOWS\system32\rasphone.exe -d "VPN NAME"   If it doesn't connect, delete and re-create the VPN connection. I like the scripts I put above, especially if you want a split tunnel connection. Read the script comments before you run - it does more than create a saved VPN connection. By default, it'll make a rasphone shortcut on the desktop. ... View more

How did you deny internet access to vlan 3? Is it a set of permit statements for the associated subnet followed by a blanket deny for said subnet?    If so, then you'll need to add permit statements between the subnet for vlan 3 and your client VPN subnet. ... View more

So to confirm, your only source of AD is Azure AD? You do not have an on-premises AD that syncs to Azure? ... View more

What version of firmware are you running on the MX? There's a thread from earlier this year that discusses a way to work with support to get 15.x to support IKEv2. Most of the changes to it, it looks like you're going to have to work with Support. ... View more

Windows 10 is a problem that can be dealt with. I've got some PowerShell scripts that create a split tunnel by default, so long as you feed them the appropriate subnets. ... View more

I work at a VAR/MSP combo. We have dozens of clients with Meraki equipment.   Do you know how much time it saves us to not have to manually update software...? I'm getting ready to do Cisco equipment at a client, and it's taken me a couple hours just to verify existing firmware, get the new recommended firmware, transfer it to the client's network, and book an outage.   Meanwhile, updating all the MX to 14.x was about an hour of checking firmware and scheduling updates for 3am. ... View more

Sure can: https://dashboard.meraki.com/api_docs#reboot-a-device   I'd probably:   IF you have multiple orgs, pull a list of orgs Pull a list of networks for your org Pull a list of devices Check if a device is an MX If MX, add serial to list For device in list, send reboot command. 🙂   I've got some Python code snippets I can throw into a github if you're not sure how to execute this.   Edit: Or @BrechtSchamp can beat me to the punch after help desk interrupts me! ... View more

I've had success in the past with having support disable nat-t. It was between an ASA and an MX65, but I had a tunnel that just kept... dropping. Up and happy for a while, then boom splat unhappy remote site with no DNS.   After support disabled NAT-T, it has stayed up successfully for almost two months. I hope you get the same result! ... View more

I've set up similar for a client. In their case, they have wired clients hanging off an L3 switch as well as an AP.     Here, vlan1 gets cut off as soon as it hits the L3 switch on the far side. Far side uses vlan 15. There's one SSID shared between the two buildings, and I've got it set to L3 Roaming right now. It could be bridged but this client had reasons.   I need an L3 switch or a router on a stick so that I can a) remote manage my switch, and b) have both APs and wired clients on the far side.   Everything on the far side is on vlan15, with a dhcp helper setup to point DORA to her own pool on my AD DHCP server.  ... View more

Make sure you set the SSID firewall so that the guest wifi doesn't have access to your normal network. It can be easy to miss, even if you're following that doc. ... View more

@Cmiller No, I thought I'd just mention the scripts exist and not share...   I threw them up in a github repo: https://github.com/gammacapricorni/happy-meraki-client-vpn   They're mostly based on snippets I've found on the forums here, all mushed together to pro-actively avoid common problems that my help desk has run into. I taught myself PowerShell for these so... they may not be super well written, but they mostly work.   AddMerakiVPN.ps1 is designed for you to pre-populate it with VPN name, address, PSK, and any routes for a split tunnel. I believe it should be possible to apply via GPO, but I haven't been able to try that. The server folks are not as interested in VPNs as I am.   AddMerakiVPN_Prompts.ps1 is designed for my help desk to use when someone from any client calls in. They pull the VPN details from our documentation, answer the prompts, then delete the script when they're done. Allows us to update the info in one place, rather than maintaining scripts for dozens of clients. ... View more

I took a quick look at the NPS logs for a client of mine. Their requests also originate from a 6.0.0.0/8 IP address. I'd be willing to bet that this is due to communication with the Meraki cloud but I have no proof. ... View more

There's a doc for that!  https://documentation.meraki.com/MX/Client_VPN/MX_Security_Audit_Failed_-_Recommended_Steps   and more generally on PCI compliance:   https://documentation.meraki.com/MR/Other_Topics/PCI_Compliance_with_Meraki     ... View more

If I understand the documentation correctly, you won't be able to move a switch without losing the config:   https://documentation.meraki.com/zGeneral_Administration/Inventory_and_Devices/Moving_Devices_Between_Networks   However, here's what you can do. Plan for an outage:   Use Postman to pull down as many settings as possible. Pay special attention to your switchports.   Save the resulting JSON in a folder.   Move the switch.   Upload those settings to your switch.   You could also get clever and write a script to pull your settings, move the switch, then update the moved switch with the settings. ... View more

My partner told me my water bottle got here today. I am not going to lie: I look very much forward to swanning around the office with it and making a specific coworker jealous.   Also, I really needed a new water bottle but kept dragging my feet on buying one. ... View more

I can confirm as well. I'm getting:   Lat lng address serial mac lanIP tags name model No network ID.   Perhaps @DexterLaBora can shed some light on this? ... View more