Meraki

Community
  • About rsage_voda

About rsage_voda

API Query parameter handling

by in Developers & APIs
3 weeks ago
3 weeks ago
I am attempting to write a script to pull events associated with non-meraki-vpns import requests def getNetworkAlerts(headers, networkId, startDate, endDate): # Define the URL url = (f"https://api.meraki.com/api/v1/networks/{networkId}/events") params = { "productType": "appliance", "includedEventTypes[]": "non_meraki_vpn", "startingAfter":startDate, "endingBefore":endDate } # what is actually being sent to meraki dashboard req = requests.Request('GET', url, headers=headers, params=params) prepared_request = req.prepare() print(f'The full url to be sent is: {prepared_request.url}') # Below in red is what requests builds. https://api.meraki.com/api/v1/networks/L_3895050727722058407/events?productType=appliance&includedEventTypes%5B%5D=non_meraki_vpn&startingAfter=2025-08-30+13%3A38%3A05.459567&endingBefore=2025-08-30+14%3A38%3A05.459567   # Send the GET request response = requests.get(url, headers=headers, params=params) status code 400 However, if I build the url manually and don't use the keyword params url = (f"https://api.meraki.com/api/v1/networks/{networkId}/events?productType=appliacnce&includeEventTypes[]=non_meraki_vpn&startingAfter=2025-08-30 13:52:56.146621&endingBefore=2025-08-30 14:52:56.146621') I don't get the error. But I can't encode varaiables directly into the url. Research suggests you do this by using the keyword params in the requests library Any more experienced coders out there got any advice please.     ... View more

GET networks/{networkId}/events?productType=appliance&includedEventTypes[]=...

by in Developers & APIs
3 weeks ago
3 weeks ago
I am having issue with the above call. If I only add the query param productType=appliance then I get the event log returned. If I add the second parameter includedEventTypes[]=eventType where eventType is a string based on the previously captured output eventType="non_meraki_vpn" or "Non-Meraki VPN negotiation" it returns no events found despite the event log clearly showing events. without the attempted filter the api returns 'type': 'non_meraki_vpn', 'description': 'Non-Meraki VPN. negotiation'   the API doc states  Any suggestions gratefully received. ... View more

Controlling subnets and non-merkai VPNs.

by in Security & SD-WAN
‎Aug 19 2025 6:44 AM
‎Aug 19 2025 6:44 AM
I have an organization with some 20 sites. All sites partake in the auto-auto site to site vpn for their Corporate subnets. I also have two non-Meraki VPNs one to Azure and one to a specialist 3rd Party from a single site. The Corporate subnets need to access Azure. I have a standalone subnet that needs is used to communicate with the specialist 3rd Party VPN.  Sporadically the 3rd Party is reporting that they are seeing traffic coming from one of the Corporate subnets. Of which there are 5 enabled for VPN.  Raised case with Meraki and there advice was to disable the VPN which isn't an option Are VPN Outbound FW rules the only way to control what traffic goes down what VPN? ... View more
Labels:

Re: Association Failure

by in Wireless
‎Aug 15 2025 12:17 AM
‎Aug 15 2025 12:17 AM
Cisco Meraki Case 13390694: 802.11 Association Error Code 30 ... View more

Re: Association Failure

by in Wireless
‎Aug 14 2025 9:04 AM
2 Kudos
‎Aug 14 2025 9:04 AM
2 Kudos
Its set for PSK  - I raised a case with Meraki and the error code 30 is related to 802.11w Protected Management Frames. Further investigation identified a single WAP which since reboot the problems haven't been reported. ... View more

Association Failure

by in Wireless
‎Aug 13 2025 6:16 AM
‎Aug 13 2025 6:16 AM
I have users complaining and I am seeing association failures  Failed to associate -  auth_mode='wpa2-psk' 11k='1' 11v='1' error_code='30' radio='1' vap='0' channel='104' rssi='40'  I found this link  https://community.cisco.com/t5/wireless-mobility-knowledge-base/802-11-association-status-802-11-deauth-reason-codes/ta-p/3148055/page/2  Which states error-codes 27-31 are reserved and not supported. Has anyone got any more information? ... View more
Labels:

Re: Cisco 8000 Series Routers and Meraki Compatibility

by in Security & SD-WAN
‎Aug 12 2025 8:11 AM
3 Kudos
‎Aug 12 2025 8:11 AM
3 Kudos
Just came off a call with Meraki TAC about our max'd out MX450's and they hinted at a November 2025 launch for a Meraki cloud managed 8000 secure router, as possible longer term fix to our issue. Nothing in stone. ... View more

Re: Uk regulatory domain 5725-5850 band C (Unii-3) and Ofcom license

by in Wireless
‎Aug 12 2025 1:22 AM
1 Kudo
‎Aug 12 2025 1:22 AM
1 Kudo
Further to my earlier email here is the link to the form to apply for 5.8GHz Band C License https://www.ofcom.org.uk/siteassets/resources/documents/manage-your-licence/fixed-wireless-access/5.8_app_form.pdf?v=333841  ... View more

Re: Uk regulatory domain 5725-5850 band C (Unii-3) and Ofcom license

by in Wireless
‎Aug 11 2025 6:31 AM
2 Kudos
‎Aug 11 2025 6:31 AM
2 Kudos
Hi my organisation has a license on the Ofcom Portal for Band C Fixed Wireless Access as we deploy CURWB at a number of large construction sites around the UK to act as bridges between Meraki networks. We have to register the CURWBs on the Ofcom portal. ... View more

Re: obtaining MX memory utilisation by API

by in Developers & APIs
‎Aug 7 2025 11:43 PM
‎Aug 7 2025 11:43 PM
 It would appear to be a postman issue. Works fine in Python. Many thanks ... View more

NULL route on MX

by in Security & SD-WAN
‎Aug 5 2025 12:06 AM
‎Aug 5 2025 12:06 AM
Is it possible to configure a NULL route on a MX to prevent routing Loops.   I have a site with a /14 supernet from which smaller subnet are used for the various services supplied at site. There is a static route 10/8 to the MPLS network. The customer is running a Tenable scanner in Azure via the MPLS across all subnets in the /14 which is resulting in routing loops. To stop this I want to add a static route to a null interface for the \14.   If I add a static route for the /14 with the next hop 0.0.0.0 the dashboard throws an error that the address 0.0.0.0 is not on a configured interface. ... View more
Labels:

Re: Is there an API to pull the concurrent session information for an MX

by in Developers & APIs
‎Aug 4 2025 10:48 AM
‎Aug 4 2025 10:48 AM
Meraki really need to add this to the API. I have a high profile site where they are close to maxing out a pair of MX450's we really need to see the number of sessions ... View more

Re: obtaining MX memory utilisation by API

by in Developers & APIs
‎Aug 2 2025 6:15 AM
‎Aug 2 2025 6:15 AM
Hi thanks for the response. That is the API call I am using but when I use in Postman as you can seen in the screenshot Postman throws an error. I will try it in Python.   ... View more

obtaining MX memory utilisation by API

by in Developers & APIs
‎Aug 1 2025 9:21 AM
‎Aug 1 2025 9:21 AM
I am trying to obtain the memory utilisation for a MX450 using the organizations/{organizationId}/devices/system/memory/usage/history/byInterval with a Query parameter of the device serial number. Doing this in postman doesn't appear to work. According to documentation the parameter is "serials" but Postman won't accept this. If I put the Key = serial and VALUE = <serial number> then the request works but it ignores the query entirely ... View more

Strange message in Event Log

by in Switching
‎Jul 29 2025 5:28 AM
‎Jul 29 2025 5:28 AM
  Has anyone seen this before? It doesn't show in change log. There hasn't been a firmware upgrade. ... View more
Labels:

Re: Model for a serial number starting Q3AT

by in Wireless
‎Jul 17 2025 12:07 AM
‎Jul 17 2025 12:07 AM
That was the conclusion that I have come to. I do find it weird that Meraki don't provide a list of models and their identifying serial identifier ... View more

Model for a serial number starting Q3AT

by in Wireless
‎Jul 15 2025 6:24 AM
‎Jul 15 2025 6:24 AM
Hi does anyone know what model of Meraki device has serial number beginning Q3AT- xxxx-xxxx I have 6 on a spreadsheet that don't show up on my dashboard. We use MR42, MR44, MR76 so it isn't one of those. ... View more

Re: Move MG52 to another network

by in Cellular Gateways
‎Jul 1 2025 2:55 AM
‎Jul 1 2025 2:55 AM
Hi what has been your experience of the MG52. Considering it for a customer project. ... View more

Re: Cisco ISR4000 to Meraki IPSEC tunnel

by in Security & SD-WAN
‎Jun 24 2025 6:20 AM
5 Kudos
‎Jun 24 2025 6:20 AM
5 Kudos
Hi thank you all for the assist. I have now got this working. For information I have provided the Meraki configuration.    Topology Cisco Config crypto ikev2 proposal IKEv2_PROPOSAL  encryption aes-cbc-256  integrity sha256  group 14 ! crypto ikev2 policy IKEv2_POLICY  match address local 192.168.0.129  proposal IKEv2_PROPOSAL ! crypto ikev2 keyring IKEv2_KEYRING  peer PEER1   address 195.89.xxx.xxx   pre-shared-key XXXXXXXXXXXXX  ! ! ! crypto ikev2 profile IKEv2_PROFILE  match identity remote address 195.89.xxx.xxx 255.255.255.255  identity local address 192.168.0.129  authentication remote pre-share key XXXXXXXXXXXXXXXX  authentication local pre-share  keyring local IKEv2_KEYRING  lifetime 28800  nat force-encap   crypto ipsec transform-set IPSEC_TRANSFORM_SET esp-aes 256 esp-sha256-hmac  mode tunnel ! ! ! crypto map MERAKI 10 ipsec-isakmp  set peer 195.89.xxx.xxx  set transform-set IPSEC_TRANSFORM_SET  set pfs group14  set ikev2-profile IKEv2_PROFILE  match address VPN_ACL   Extended IP access list VPN_ACL     10 permit ip 192.168.150.0 0.0.0.255 192.168.151.0 0.0.0.255 (831 matches)   ... View more

Re: Cisco ISR4000 to Meraki IPSEC tunnel

by in Security & SD-WAN
‎Jun 23 2025 12:43 AM
‎Jun 23 2025 12:43 AM
Hi thank you for your response. On the Remote ID the i button suggests that this should be configured when the Local ID of the Remote Peer is anything other than its Public IP address. In my case I have set the local ID to a the address provided by DHCP from the NAT router. The previous contributor suggests that from the MX84 perspective that the Remote Peers Local IP address should be its public IP address. However, the Meraki documentation suggests "Uses the IP addresses of the hosts exchanging ISAKMP identity information." which is the address I have provided. ... View more

Cisco ISR4000 to Meraki IPSEC tunnel

by in Security & SD-WAN
‎Jun 22 2025 3:31 AM
‎Jun 22 2025 3:31 AM
I am trying to setup a non-meraki IPSEC tunnel between a Cisco ISR4321 running IOS-XE17.12.05b and an old MX84 in my lab running 18.107.10 I have repeatedly checked and re-checked the configuration for phase 1 and phase 2 and the pre-shared key. Below is the debug from the Cisco router. I cannot see what is wrong. Am I just wasting my time with the MX84 and the version of Meraki code?   000164: *Jun 22 10:33:13.609: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 192.168.0.129:500, remote= xxx.xxx.xxx.xxx:500, local_proxy= 192.168.150.0/255.255.255.0/256/0, remote_proxy= 192.168.151.0/255.255.255.0/256/0, protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel), esn= FALSE, lifedur= 27000s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0 000165: *Jun 22 10:33:13.610: IKEv2:% Getting preshared key from profile keyring IKEv2_KEYRING 000166: *Jun 22 10:33:13.610: IKEv2:% Matched peer block 'PEER1' 000167: *Jun 22 10:33:13.610: IKEv2:(SESSION ID = 0,SA ID = 0):Searching Policy with fvrf 0, local address 192.168.0.129 000168: *Jun 22 10:33:13.610: IKEv2:(SESSION ID = 0,SA ID = 0):Found Policy 'IKEv2_POLICY' 000169: *Jun 22 10:33:13.611: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 000170: *Jun 22 10:33:13.611: IKEv2:(SESSION ID = 1,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED 000171: *Jun 22 10:33:13.611: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key 000172: *Jun 22 10:33:13.611: IKEv2:(SESSION ID = 1,SA ID = 1):IKEv2 initiator - no config data to send in IKE_SA_INIT exch 000173: *Jun 22 10:33:13.611: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message 000174: *Jun 22 10:33:13.612: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14 000175: *Jun 22 10:33:13.612: IKEv2:(SESSION ID = 1,SA ID = 1):Corrupt the hash to force NAT in between 000176: *Jun 22 10:33:13.612: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To xxx.xxx.xxx.xxx:4500/From 192.168.0.129:4500/VRF i0:f0] Initiator SPI : 2745781F64F2A066 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 000177: *Jun 22 10:33:13.613: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA 000178: *Jun 22 10:33:13.679: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From xxx.xxx.xxx.xxx:4500/To 192.168.0.129:4500/VRF i0:f0] Initiator SPI : 2745781F64F2A066 - Responder SPI : 17178C7F5FE6CE36 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: 000179: *Jun 22 10:33:13.679: IKEv2:(SESSION ID = 1,SA ID = 1):parsing SA payload SA 000180: *Jun 22 10:33:13.679: IKEv2:(SESSION ID = 1,SA ID = 1):parsing KE payload KE 000181: *Jun 22 10:33:13.679: IKEv2:(SESSION ID = 1,SA ID = 1):parsing N payload N 000182: *Jun 22 10:33:13.679: IKEv2:(SESSION ID = 1,SA ID = 1):parsing NOTIFY payload NOTIFY(NAT_DETECTION_SOURCE_IP) 000183: *Jun 22 10:33:13.679: IKEv2:(SESSION ID = 1,SA ID = 1):parsing NOTIFY payload NOTIFY(NAT_DETECTION_DESTINATION_IP) 000184: *Jun 22 10:33:13.679: IKEv2:(SESSION ID = 1,SA ID = 1):parsing NOTIFY payload NOTIFY(Unknown - 16418) 000185: *Jun 22 10:33:13.679: IKEv2:(SESSION ID = 1,SA ID = 1):parsing NOTIFY payload NOTIFY(Unknown - 16404) 000186: *Jun 22 10:33:13.679: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message 000187: *Jun 22 10:33:13.679: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message 000188: *Jun 22 10:33:13.679: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message 000189: *Jun 22 10:33:13.681: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery 000190: *Jun 22 10:33:13.681: IKEv2:(SESSION ID = 1,SA ID = 1):NAT INSIDE found 000191: *Jun 22 10:33:13.681: IKEv2:(SESSION ID = 1,SA ID = 1):NAT encap forced by policy 000192: *Jun 22 10:33:13.681: IKEv2:(SESSION ID = 1,SA ID = 1):no need to float ports, as exchange started with NAT encap 000193: *Jun 22 10:33:13.681: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 000194: *Jun 22 10:33:13.706: IKEv2:(SESSION ID = 1,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED 000195: *Jun 22 10:33:13.706: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret 000196: *Jun 22 10:33:13.706: IKEv2:(SESSION ID = 1,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA 000197: *Jun 22 10:33:13.706: IKEv2:(SESSION ID = 1,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED 000198: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange 000199: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange 000200: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data 000201: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 192.168.0.129, key len 17 000202: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data 000203: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED 000204: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method 000205: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK' 000206: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange 000207: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message 000208: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '192.168.0.129' of type 'IPv4 address' 000209: *Jun 22 10:33:13.707: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA256 Don't use ESN 000210: *Jun 22 10:33:13.708: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption. Payload contents: VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 000211: *Jun 22 10:33:13.708: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To xxx.xxx.xxx.xxx:4500/From 192.168.0.129:4500/VRF i0:f0] Initiator SPI : 2745781F64F2A066 - Responder SPI : 17178C7F5FE6CE36 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR 000212: *Jun 22 10:33:13.751: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From xxx.xxx.xxx.xxx:4500/To 192.168.0.129:4500/VRF i0:f0] Initiator SPI : 2745781F64F2A066 - Responder SPI : 17178C7F5FE6CE36 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: 000213: *Jun 22 10:33:13.751: IKEv2:(SESSION ID = 1,SA ID = 1):parsing ENCR payload 000214: *Jun 22 10:33:13.751: IKEv2:(SESSION ID = 1,SA ID = 1):parsing NOTIFY payload NOTIFY(AUTHENTICATION_FAILED) 000215: *Jun 22 10:33:13.751: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify 000216: *Jun 22 10:33:13.751: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1): 000217: *Jun 22 10:33:13.751: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed 000218: *Jun 22 10:33:13.751: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed 000219: *Jun 22 10:33:13.751: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange 000220: *Jun 22 10:33:13.752: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA ... View more
Labels:

Re: Non-Meraki VPN - IKEv2 issues (?)

by in Security & SD-WAN
‎Apr 7 2025 4:22 AM
‎Apr 7 2025 4:22 AM
I have a number of sites with Meraki MX creating a IPSEC tunnel to an Azure Gateway. For most sites this seems stable but I have one site an MX250 HA Pair (18.211.2) which seems to be having issues. The Meraki send the IKE_SA_Init to which the Azure Gateway responds. There is then a 9 second gap before the Azure Gateway sends out an INFORMATIONAL which contains a Notify Private Errors (12345) repeats and then the Meraki sends the IKE_SA_INIT again and it repeats.  Then for no discernable reason that I haven't been able to capture the VPN springs into life. Only to go down again at some sporadic point in time for the issue above to repeat. TAC states its config but we are not making changes between incidents and the VPN does come up. From the earlier contributions can I surmise the Meraki MX doesn't implement IKE V2 particularly well? ... View more

Re: Moving Layer 3 & 7 firewall rules from the MX to MR

by in Wireless
‎Feb 12 2025 12:43 AM
‎Feb 12 2025 12:43 AM
I am not proposing to remove the firewall rules from the MX. It just makes sense to me to drop the traffic close to the source if its going to be dropped on the MX. The plan is to apply the rules on the Guest SSID only as that is the bulk of the traffic. ... View more

Re: Moving Layer 3 & 7 firewall rules from the MX to MR

by in Wireless
‎Feb 12 2025 12:41 AM
2 Kudos
‎Feb 12 2025 12:41 AM
2 Kudos
According to Meraki we are hitting all of them. We have deployed a second pair of MX450 and attempted to alleviate the load by splitting the site in two and crudely load balancing using VLANs.  This an attempt to buy time whilst a permanent solution is sought. ... View more

Moving Layer 3 & 7 firewall rules from the MX to MR

by in Wireless
‎Feb 11 2025 3:14 AM
‎Feb 11 2025 3:14 AM
I have a customer with a HA pair of MX450 that Meraki have advised are running very close to the limit. Anyone have experience of deploying Firewall rules on the MR's. Logically to me it makes sense to drop traffic as close to the source as possible.   Any gotcha's I need to be aware of ... View more
Labels:
My Accepted Solutions
View all
© 2025 Cisco Systems, Inc.