what is the purpose, goal of integration? could you please elaborate more on this request? ... View more

Hi everyone!   @RahulPrasadh , I recommend you read and understand this document before reading the other one @Mloraditch mentioned.   @RahulPrasadh , regarding local-ID: this is only available if the VPN is using IKEv2; this is optional but if you don't specify then MX will send "real IP" configured on that WAN interface.   Example: Suppose your MX has two WAN uplink interfaces and each one is connected to a ISP router that does NAT. So something like this: -> WAN1 IP 192.168.0.11 (real IP) and Public IP 11.0.0.11 -> WAN2 IP 172.16.0.22 (real IP) and Public IP 22.0.0.22 -> VPN peer IP 3.3.3.3   In this example, If you don't configure local-ID then MX will send 11.0.0.11 over WAN1 and 172.16.0.22 over WAN2 to the VPN peer when negotiating IKEv2 tunnel.   You can learn more about all the non-Meraki settings here.   On another topic, IPsec over VPN is a really cool feature! Thanks for bringing this up, @Mloraditch ! This feature offers new network design opportunities and I was particularly waiting for it.   I say this because I used to work with AWS before and their VPN service always has two endpoints and then AWS used to generate a lot of emails warning customers that they don't have redundancy configured.   So it was only frustrating and time wasting since most customers already knew that and they also knew they couldn't configure the redundant tunnel because their device didn't support. As it used to be the case with Meraki.   But not anymore!😎 And linking to your comment, @Mloraditch , at the moment We can't bind the tunnels to specific WANs. What I mean is: this IPSec over VPN feature is designed to interconnect with non-Meraki VPNs; as such, non-Meraki VPN tunnels will obey Primary WAN preference. This behaviour is documented here.   However, I believe We can have a VPN tunnel traffic engineering feature in the future if enough people make a Feature Request. To your point @Mloraditch , this would allow VPN traffic to flow on a selected WAN.   I'm particularly excited by this possibility now that Meraki supports IPSec over VPN. In order to make VPN tunnel traffic engineering possible, first of all, We would need non-Meraki VPN supporting Active-Active VPN Load Balance so BGP sessions can exist within each WAN uplink. That would give us two egress interfaces.   Next, since We have two egress interfaces, then We could fine-tune BGP settings to have a better Local Preference on a specific tunnel and also advertise certain subnets/prefixes with AS-Path prepending to influence the return traffic to flow via the same tunnel. That would be so cool! 😎   Everyone can make a feature request by going to the bottom right corner of your Dashboard and sending the request through the "Give Feedback" bubble.   Once you sent your Feature Request using the "Give Feedback", our Internal Team will process your suggestion and eventually you'll have your feature in the future. Keep in mind there will be no estimated time to implement your suggestion/feature.   Hope this information is useful. Feel free to post here anytime if you have further questions / concerns.   ... View more

If you notice the shared link shows the New URL which is:  https://fde-nonceapi-b2b-prd-na-gkf3gmc8amfbckcy.a01.azurefd.net   For example: " *fde-nonceapi-b2b-prd-na-gkf3gmc8amfbckcy.a01.azurefd.net/health "   Here is the documentation for reference: https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering   Allow 10-15min to make sure the changes took affect.  If the issue is still ongoing, change the policy to one of the affected clients to be allow-list as this will bypass all the Meraki rules, check the below documentation if you are unsure how to apply it, scroll down to "using client list": https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Blocking_and_Allowing_Clients   Wait 10-15min and recheck if it works then check the other applied policies in the network. If still the same check the upstream devices. ... View more

https://docs.johnsoncontrols.com/bas/r/Facility-Explorer/en-US/Facility-Explorer-IP-Networks-for-BACnet/IP-Controllers-Configuration-Guide/Appendix-VPN-with-a-Cisco-Meraki-MX-security-appliance-configuration/Configuring-the-modem/router-into-bridge-mode ... View more

If you are referring to client VPN (users outside of your network connecting in), turned off client VPN on the MX.   If you are talking about things like BitTorrent, use a layer 7 firewall rule. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_a_Layer_7_Firewall_Rule       If you are talking about privacy VPNs, use content filtering and block these two:     ... View more

Hi @RahulPrasadh,   As @RaphaelL mentioned, pings should not be used to test whether a content filtering rule is working as intended as content filtering does not apply to ICMP traffic.   That being said, if an allow-listed URL is still being blocked, then there are three likely possibilities: The content filtering configuration is incorrect or insufficient. Something else on the MX is blocking the traffic. The traffic is blocked/dropped somewhere else before or after the traffic is processed by the MX.   To determine which possibility is occurring, I would first recommend checking whether the traffic is in fact being blocked by content filtering, which can be done by navigating to Network-wide > Event log and filtering for the affected client, setting the appropriate time, and including the Event type Content filtering blocked URL. If you see entries for a URL that are related to the resource the client is attempting to reach, then ensure they have been properly added to the Content filtering Allow list.   https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering/Content_Filtering_Troubleshooting#Allow_URL_list_patterns_are_not_being_allowed   If the traffic is not being blocked by content filtering, I would recommend checking any layer 3 and layer 7 firewall rules. If your MX is running version 18.2+, you can use the firewall logging tool to see in real time if any configured rules are traffic.   https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Firewall_Logging ... View more

Yes , that should also work. There are more than 1 way to achieve your goal ... View more

Re-reading the rules in your image, @BlakeRichardson has a point - the last rule is an allow any-any so the rules above it shouldn't matter. Check downstream - any other network devices, windows firewalls etc. ... View more

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_MX   ... View more

Are you sure you really want to do it based upon VLAN?   Any QoS plan should ideally take into account not just the relative importance of the traffic, but also how things like latency, jitter and packet poss affect the application.  It's often the case that the applications that really need QoS wouldn't necessarily  be characterised as the most important.   It's also commonly the case that there's a real mixture of time-sensitive applications and applications with different levels of business criticality running over the same VLAN. ... View more

Hi @RahulPrasadh,   Yes, that should do it. You can also add custom expressions for a more specific set of IPs or subnets. ... View more

Increase the splash page frequency. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Splash_Page_Frequency   ... View more

Cellular Firewall Rules and an NFO on the back end to treat WAN 2 as cellular will help with this, please reach out to support. Not necessarily BW prioritization, more firewalling of traffic you don't want over cellular to free up bandwidth for the applications that need it, ie. no guest wifi vlan permitted when on cellular. ... View more

Maybe using Port Forwarding, 1:1 NAT rules, or NAT Exceptions could be a way around it. Just gotta make sure you've got the right network setup and routing config. ... View more

Normally if you configured your Anyconnect on your MX with using the certificated provided by Meraki, make sure you connect using the dynamic-m URL and NOT the IP address. The autogenerated certificate uses the dynamic-m name as CN and that cert should be trusted by most OS'es. ... View more

https://software.cisco.com/download/home/286330811/type/282364313/release/5.1.4.74 ... View more

Enable AutoVPN. https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshooting  ... View more

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Configuring_MX_for_Client_VPN ... View more

Create the Group policy allowing and set only for this user. Creating a Group policy does not mean that it will be applied immediately, you need to apply it to the user or to a VLAN. See the documentation. ... View more