Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join nowAbout JamesHammy
JamesHammy
Here to help
Member since Feb 24, 2025
yesterday
Community Record
13
Posts
7
Kudos
0
Solutions
Badges
yesterday
2 Kudos
Ok, quick update. When configuring an IP-based Local internet breakout, we can see from the packet capture that the traffic does indeed move from the Secure Connect VPN tunnel to the local WAN1 break-out, which is good. The connection still fails though. Argh!
... View more
yesterday
1 Kudo
Oh, we've had right issues in the past with HTTPS inspection so have had to avoid it, so that at least rules that one out. Thanks though!
... View more
Thursday
Funnily enough, Wireshark from the workstation was going to be the first call of the day this morning. Is there a packet capture function on the MX itself? The team haven’t come across that one before. thanks for the reply!
... View more
Thursday
Hi all, We have recently implemented the Meraki/Cisco Secure Connect SD-WAN solution and have all of our MX devices now connected to each other via the Secure Connect VPN feature along with Umbrella and the cloud-based internet break-out. This gives us a nice centralised internet solution whether in or out of the office. Whilst it works relatively well, there seems to be absolutely no useful tools for analysing the outbound internet-based traffic and whether something is blocking certain apps/processes. We can see from the Umbrella DNS/firewall/web logs that calls to a certain URL/domain are being 'Allowed' and that nothing is being logged as blocked. We have a third party installed application that communicates to a cloud-based Postgres SQL instance and we simply cannot get it work work via Secure Connect. Nothing is showing as being blocked and only 'Allowed' entries in the log, all of which relate to the app. If I only have a URL/domain, how on earth can I get the Secure Connect firewall to just allow the traffic, or even see why it's being clearly being blocked but not logged? I cannot use the MX's 'Local internet breakout' feature to resolve this particular situation because the cloud service the app connects to has some kind of load balancing in front of it and the IPs change on an almost minutely basis. They're also on massive subnets so excluding them all would be madness. Plus, we've added IP after IP and never managed to get it work even once. The MX does have a feature to exclude a URL/DNS entry but it does not work and I suspect that may be because we use the Umbrella agent for DNS protection on our endpoints? Meaning the DNS query would never hit the MX? We also provide remote connectivity for our users using the Secure Client (AnyConnect component) to the same Secure Connect instance and had the same problem while out and about. We have resolved the situation while working remotely by excluding the URL/DNS domain from the client VPN tunnel, via the basic config settings, and this works perfectly. Any ideas why we can't do the same from traffic originating from our office-based MX devices?
... View more
Labels:
- Labels:
-
Auto VPN
-
Client VPN
-
Firewall
Jun 16 2025
12:04 AM
4 Kudos
Thanks a lot folks. I did read the article about transferring ownership of devices between organisations but wasn’t sure on the warranty piece and Meraki’s licensing model. I’m thinking that having a spare or two might be the order of the day, if I decide to progress!
... View more
Jun 15 2025
11:54 AM
I am thinking of purchasing some second hand legitimately owned switches (which have been unclaimed) but wonder what the situation is with ongoing warranty/support if I simply purchase the associated licensing. Does the license cover the physical support/failure of switches? My existing is estate is currently 100% purchased by our business, from new so don't want to be left in a position where a physical problem leaves us in the cold. Thanks in advance!
... View more
Labels:
- Labels:
-
Other
Apr 30 2025
3:51 AM
Ah, I didn't appreciate this is for MX-based VPN connectivity, as opposed to the Secure Connect-based connectivity. Meraki support have replied and It's apparently not a feature within the cloud solution and there are no plans to introduce it (which is total and utter insanity, given the terrible user experience it introduces).
... View more
Apr 30 2025
3:14 AM
If this works then it's legendary. We're about to start a pilot, and ultimate full roll-out, of the full Secure Connect (SD-WAN sites and remote VPN) and having to authenticate at every login would be a massive step back for us. I've logged a ticket with Meraki support and will feedback if it works.
... View more
Mar 4 2025
5:48 AM
All working ok for you? We've not even onboarded SCEPman yet so we're still using on-premise Microsoft Root CA with NPS and GPO settings to deploy wifi securely. Just like everyone else though, we're looking to offload as much as possible to O365/InTune to remove dependency on on-premise.
... View more
Mar 4 2025
3:16 AM
I'm pretty sure it's as simple as setting up SCEPman following their decent documentation. After that, you can simply enable the 'RADIUS local auth' option, choose certificate based authentication, tick a couple more boxes and then upload SCEPman's Root CA certificate in PEM format. Then configure your endpoints to connect to that wifi network using certificate-based authentication. @GIdenJoe 's setup is more comprehensive as it also uses a cloud-based RADIUS service that you could use for a load of other stuff but what I've suggested is very simple and apparently works well for simple and secure wifi access. I will be looking to implement something similar before long, so I can retire our internal NPS server.
... View more
Feb 24 2025
8:59 AM
Hmm, that's not great news. Thanks though! I guess that's the tack we will have to take then. Don't over-promise and under-deliver, and all that... Our challenge is that our outgoing VPN uses a built-in browser that does save credentials and behaves exactly like it would if it authenticated via native Chrome/Edge so we're being forced to take a step backwards in terms of user experience.
... View more
Feb 24 2025
4:01 AM
I'd be interested to see if you made any progress with this? We are just embarking on a Meraki Cisco Secure Connect+ SD-WAN environment, connecting multiple MX devices at our sites and the lack of token/caching on the WebView2 embedded browser creates a poot user experience as they have to explicitly login every single time. If it used their default browser (Chrome/Edge), it would log them straight in without any input. FYI, even with the embedded/WebView2 browser, SSO and passkeys (Windows Hello with PIN/Face/Fingerprint) work just fine. It's still annoying that the seamless SSO doesn't work though. I can't see anywhere to alter which browser the Secure Client uses... I'm guessing the Meraki environment is a little more stripped down.
... View more
My Top Kudoed Posts
© 2025 Cisco Systems, Inc.
