- About mat1458
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
mat1458
Getting noticed
Member since Oct 23, 2018
4 weeks ago
Kudos given to
Community Record
22
Posts
4
Kudos
0
Solutions
4 weeks ago
1 Kudo
Thanks Philip That explains everything clearly and my tests prove that you're right. Cheers Mat
... View more
4 weeks ago
1 Kudo
I did not yet know about the well-behaved part of the FW. But looking at it it makes a lot of sense in terms of economizing ports. Thanks for your endurance in answering my questions. Mat
... View more
4 weeks ago
Hi Philipp I have done further tests and I still can generate IP address overlaps. Just to make sure that I understand the concept of overlap checking in Meraki: Are the checks made per network bound to the same template (in which I define the uniqueness) or are the checks made based on the entire organization (all networks bound to a template and the ones that are not bound to a template)? Thanks for reading and supporting people. Mat
... View more
4 weeks ago
Let me rephrase my question: How does the Meraki Cloud populate the list for hubs in the Site-to-Site VPN configuration for spokes? In my opinion it makes a difference if a hub network is bound to a template or if it's not. I want to understand the reason why it is that way. I did not find any documentation that points this out.
... View more
a month ago
Thanks Brecht for all the time you dedicate to my issue. The way I see it there must be a mechanism in the ISP FW NAPT process that re-uses previously assigned source ports for different IP addresses in the outgoing direction (which makes sense from an economical assignment point of view). This way the hole punching basically opens the same port on the public side for all outgoing UDP connections from the same inside source address. That way the whole model can work. Kind regards and many thanks again. Mat
... View more
a month ago
Hi Brecht Thanks for the answer and sorry for the delay. I still have a question. The way I understand PAT (NAPT) it always consists of a two tuples: one describing local SrcIP/SrcPort and the corresponding global SrcIP/SrcPort, the other one describing local DstIP/DstPort and the corresponding global DstIP/DstPort. Now for the MX1 this would be something like local IP10.1.1.1/UDP40001 and global IP1.2.3.4/UDP40001 to local 64.62.142.12/UDP9350 and global 64.62.142.12/UDP9350. This in my opinion punches a hole for the connection between the two endpoint IP addresses. When having a second MX2 behind the same ISP firewall the situation would look like that: IP10.1.1.2/UDP40001 and global IP1.2.3.4/UDP40002 to local 64.62.142.12/UDP9350 and global 64.62.142.12/UDP9350. The UDP port for both MXs differs on the outside, but in my opinion only for the communication to 64.62.142.12/UDP9350. When assuming that an access point tries to set up a connection to MX2 it sends a UDP packet to IP1.2.3.4/UDP40002. Since the public IP address of the access point is not known the packet is dropped at MX2's ISP FW. Now if the MX2 tries to open the communication to the AP: is there a rule for the ISP FW to use the same UDP port number (40002) to the different public IP address of the access point? Or is it just the way most of the NAPT devices work? Sorry to bother you again but maybe you can help me understand the process more profoundly. Kind regards Mat
... View more
01-17-2019
08:06 AM
@kYutobi: I do not find anything specific about AutoVPN Hubs in the document. Am I missing something there?
... View more
01-17-2019
07:27 AM
Can a hub site be in a network that is bound to a template? (i.e. a template for all hubs in the organization) When I try to configure this the active MX in the sites never get selectable as hubs in the spoke configuration.
... View more
01-15-2019
06:16 AM
Hi Brecht Thanks for your reply. But if I understand you correctly, the non-Meraki FW would change the port in your scenario. How can the Meraki VPN registry track the different outside port? In my opinion there is no direct relationship between the FW and the registry. So some messaging (error messages?) could be used for this update but I don't see any way, how to do this update. In my opinion it could only work, if the VPN registry remarks the duplicate port numbers before it announces them and urges one of the data center MXs to change it's source port and then re-announce it. Or Meraki relies on coincidence with the random function on the port range. Cheers Mat
... View more
01-14-2019
11:47 PM
Hi I want to have multiple MX of different organizations in a data center that hide behind a non-Meraki firewall. All MX are in the same subnet. The MX act as VPN concentrators for SSID tunnels to APs of multiple customers. If I have a look at the documentation on how the tunnels are invoked (https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_between_Cisco_Meraki_Peers) I see in the example that the SF-MX selects a UDP port for the tunnel source/destination dynamically. Is there a way to make sure that these ports do not overlap when I hide all data center MX behind the same IP address to the internet? Or in other words: what is the algorithm for an MX to choose a UDP port for VPNs? Any ideas are welcome. Cheers Mat
... View more
12-10-2018
01:41 AM
Hi Philipp even though in some configuration situations I received error messages about overlapping IP subnets and I was not able to proceed I was able to configure my network in a way to have overlapping IP subnets. This was the case when I added a spoke site that used the pool of IP subnets out of the template. I do not know why the tests work when trying to add a hub site with overlapping IP addresses but not in the case where a spoke site gets an IP address out of the pool. So I think that the best strategy is still to use non-overlapping address spaces for hub and spokes, but that was clear in the first place. Thanks for taking the time for replying my (silly) questions. Matthias
... View more
12-06-2018
05:52 AM
I have understood that for automatic address assignment in Site-to-Site VPN I have to use a template. With it each site gets its own IP addresses from a defined pool. For a hub and spoke network I need to configure the MXs as spokes. the hub site as I see it cannot be part of the template because of the selection of the type "Hub". If I want to select an IP address for a VLAN on the hub out of a range in the template that is used in the spokes: does the dashboard track the used IP subnet so that it is never assigned to a spoke? Or do I have to assign IP addresses in a different IP address range? (reason for asking: FW rules would be easier in general if IP addresses for VLANs with the same purpose could reside in a common address range)
... View more
11-26-2018
07:04 AM
Hi Nolan Thanks for giving me such precise answers to all of my questions, I really appreciate that very much! I have found the Org>Firmware Upgrade page and am already playing around a bit. I let the question on an unsolved state for a little moment, even though you have replied and solved almost all of my questions. Just in case somebody has some more info tho share. I will however put it to solved shortly. Thanks again Mat
... View more
11-26-2018
05:49 AM
I am trying to understand how Meraki handles firmware updates. The documentation on some topics is quite clear, other stuff is a bit difficult to understand. That's why I want to ask a few questions: -Is it true that all devices of the same type (MX, MS, etc.) bound to a network with a template upgrade their firmware at the same time? -Is it true that firmware updates of all types of devices can only be delayed a certain amount of time but not suppressed totally? -When trying to set the date of the firmware update to a date two weeks from now the dashboard tells me that the " Firmware upgrade date must be set in the future ". Bug or feature? Or did I overlook something? In this case it concerns switch software (" New firmware is available for this network. However, an update is not scheduled. ") The date correlates with the Upgrade window that is set above. -The dashboard tells me "Upgrades may be staggered...". Is it true that this feature is in BETA? How do I access it? -For the whole firmware upgrade process: is there any integration in the API planned/already implemented? Any hint or reply is greatly appreciated.
... View more
11-21-2018
12:11 AM
Hi Philipp That's where I expected to see them but it seems that this is for site-to-site AutoVPN type of connections to other MXs only. It seems that apart from the "Test Connectivity" button in the SSID configuration panel there is nothing to show that the connection is working. And the results of "Test connectivity" are not easy to interpret, especially failed ones. But thanks anyway for your answer. Mat
... View more
11-20-2018
09:00 AM
If the MX is the DHCP server the incomplete ARP is not likely to be the issue since the traffic is routed and ARP is only necessary for the default gateway IP address in the local VLAN. It looks to me as if something in the DHCP processing on the client side as gone wrong. Did you do an ipconfig /all (or whatever the OS of the client might need to display the IP config) to see if the DNS servers and the Default Gateway were present in the PC? If everything is/was ok, could/can you ping the DNS server? Are you able to able to ping devices in proximity to the DNS server?
... View more
11-20-2018
08:01 AM
In bridge mode Meraki allows to use VLAN IDs with tags. This gives the possibility to use templates and add the APs to the corresponding tags (and with that to the corresponding VLANs) afterwards. With SSID Tunneling to VPN Concentrator there is a possibility to use VLAN but only a single VLAN can be assigned. I have the need to separate the sites/networks on the central VPN concentrator into one VLAN per site. With the existing configuration logic on the dashboard I have no possibility to do this in a template, resulting in a second network per site only for the access points. I don't want to complain, please don't misunderstand me. But with the extension of the tag concept to the SSID tunnels I see a possibility to allow this configuration in templates as well. And in my opinion this would simplify the configuration overall. Anyway, I can do what I need to do, so I'm happy. Consider my post a a suggestion for future developments.
... View more
11-20-2018
05:54 AM
Another basic question (after having brought up the one armed concentrator with SSID tunnels): Is there any possibility to see how many SSIDs/Access Points have active tunnels to a MX VPN concentrator? I did not find anything in the portal so far, maybe API?
... View more
11-14-2018
07:37 AM
1 Kudo
Thanks for the reply!
... View more
11-14-2018
05:42 AM
I have a one-armed MX VPN Concentrator that is located in a site that is connected over a network with an MTU of 1440. Is there a way to build a Teleworker VPN solution (MR AccessPoint SSID Tunneling) from other sites to this VPN concentrator? Is there a way to reduce the MTU on the MX or to switch on PMTUD in a way that the MX and the AccessPoint both reduce the size of the IP packets?
... View more
11-14-2018
03:41 AM
1 Kudo
Hi jdsilva Thanks for your reply and sorry for my late reply. That's indeed the way to go, L2TPv3 Tunnels or EoGRE would be others but due to technical restrictions I'll continue with your idea. Cheers mat
... View more
10-23-2018
09:56 AM
I would like to have a WLAN solution in which each site uses a separate VLAN for a specific SSID that is transferred over AutoVPN to a central site. Can I use an MX at the central site that still lets me separate all VLAN from the sites and how would I configure it at the central and remote sites? (Kind of a L2-site-to-site-VPN)
... View more
Kudos given to
My Top Kudoed Posts
