Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About Ramtech
Community Record
11
Posts
1
Kudos
1
Solution
Badges
Jun 23 2022
11:00 PM
So after speaking to Meraki Support, I now know the following. It is expected behaviour. The MX maintains maps of flows for a minimum of 5 minutes to facilitate what the support rep described as graceful failover. ANY flow that the MX sees that it has a map for (e.g. any flow in the last 5 minutes) it will hold that flow to the previous map indefinitely. So if the MX fails over to the WAN2 it will disrupt traffic and force the traffic to use WAN2. Expected. When the MX switches back to primary, it still sees any flows in it's maintained maps until there is no flow from that Src, to that Dst for > 5 Minutes. (Seems ridiculous to me) So this means it will stay using the failover WAN forever if there is a lot of flows from that Src to that Dst. There is apparently a back end (Meraki Engineer only) way to change this, BUT... You must have the MX on a dedicated MX network, not a combined network, AND you must be running v17.x firmware, which at time of writing is not a stable release. This seems quite ludicrous to me. Why would you want the flow to remain on the secondary WAN (in a non-load-balanced network), after switching back to primary. I can understand you wanting that TCP session to finish to avoid interruption, but not the entire flow. so a 5-10 second window I could understand for smooth transition between WANs, but not 5 minutes. Anyway, that is what I have been told. Hope that helps someone else that runs foul of this.
... View more
Jun 23 2022
9:45 PM
Yeah it's weird. But have confirmed it in several of our environments. So it seems to be systemic. Still waiting (gosh the meraki support is slow in responding) for any response other than acknowledgement of receipt).
... View more
Jun 23 2022
9:06 PM
Hi Ajit. Firmware is latest firmware on all devices. As I mentioned in the OP, I am not using (and do not want to use because of the other issues it creates), Load Balancing, Active-Active AutoVPN, or flows. I also specifically do not want to use them. The problem is exactly as described in OP. When the MX fails over, and then later switches back to primary, the MS & MR and all connected devices to them, do not follow. They remain on the WAN 2 IP for a considerable period afterwards. Normally in the order of 1 day. This is the behavior I am trying to rectify. I have replicated the same behavior on other tenancies and other networks also. It seems to be an issue with the Meraki's uniquely for some reason I am un aware of. Ross
... View more
Jun 23 2022
7:11 PM
Hi all, We have annoying problem at the moment. Brief intro of the config is MX with 2 WAN ports not using Load Balancing or Active Active Auto-VPN. Primary Uplink is W1. An MS attached to the MX (No SVIs) and an MR attached to the MX also (No SVIs). Our problem is, when the MX Fails over to the W2 after a failure of W1, the Public IP of the MS and the MR (and hence the Src address of all attached devices), stay as the W2 IP for many hours (or days) after the MX has switched back to the Primary W1 address. All traffic from devices attached to the MS or MR is seen as coming from the W2 address until this updates. If I boot the MS or MR they update and all is well. But this is cumbersome. The problem this causes is for SIP traffic, we are getting Unidirectional RTP (and hence unidirectional Audio) until they update. How can I get the MS and MR to update their public IP (and hence, all devices src addresses) to the active MX WAN interface immediately, or at least within minutes? Thanks in anticipation. Ross.
... View more
Jul 15 2019
9:16 PM
Thanks Philip. I might have a play with the custom solution as well though, as I know it has some known malicious URI/URLs in it that I can get to from behind the MX even in "Security" mode. If I can automate that being updated, I will sleep a little better... Thank you very much for the heads up, and links though. It's greatly appreciated.
... View more
Jul 15 2019
8:49 PM
Hi Philip. Thanks for the response. The honest answer is no I didn't. I do run them in IPS Balanced mode, but didn;t realise that that also had a URL blocking component. I understood it blocked Malware from many sources. Where can I see the URL blocklist contents do you know?
... View more
Jul 15 2019
4:52 PM
1 Kudo
Greatly appreciated Racer! I figured as much, but the heads up you've given there is awesome. Particularly including the specific call. Out of curiosity, have you done this or has anyone else done this this way? My python skills are average at best... ¯\_(ツ)_/¯
... View more
Jul 15 2019
4:38 PM
I would like to incorporate a daily threat intelligence URL Black list feed into our Meraki appliances. We are using MX 65/67/68/84/100s all with Advanced Security Licenses. The feed comes as a txt file with URL per line. I can easily reformat this though if that is an issue. Is there a way to do this without cutting and pasting to our MX Appliances on a daily basis? Thanks Ross.
... View more
Aug 29 2018
4:37 PM
I have exactly the same issue as CiscoFan1. VLAN policies are not applied to clients on that VLAN. If that is the case. What are they applied to? I want all devices assigned to the VLAN to get the policy assigned to that VLAN, but this does not seem to happen. Any suggestions as to how to end up with all devices assigned to a particular VLAN get that VLAN's GP?
... View more
Aug 15 2018
10:55 PM
Do you have 2 x WAN Connections in the MX with load balancing disabled (fail-over mode)? If so do you have the Fortinet setup to have a tunnel to both (for redundancy and fail-over)? If so this is your issue. The Primary will be up and happy, the fail-over will keep failing until such a time as it fails over to the second WAN. We have the same issue and it is very ugly unfortunately, but I can't find a work around. Everything works fine, but the logs fill up with negotiation failures as it can't have 2 SPIs with the same routes on them (for obvious reasons). Let me know if this helps and is your issue. TAC could help you here also.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 2247 | Jun 23 2022 11:00 PM |
© 2024 Cisco Systems, Inc.
