Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join now- About TheDarkKnight
About TheDarkKnight
Community Record
15
Posts
4
Kudos
0
Solutions
Badges
Jul 30 2025
8:16 AM
2 Kudos
That's the problem. the field won't set back to empty if you set the secondary concentrator as "none" and toggle it back on. The field is buggy and won't reset back to empty. I also wanted to see what would happen while its empty.
... View more
Jul 26 2025
3:30 PM
i hear you, i really do. i don't like the design one bit. unfortunately its a network i inherited from someone else who didn't think that tunneling inside a tunnel was a bad idea. it craeted an MTU issue a few months back and already told them that guest traffic should be DIA and not get backhauled to the data center. but the requirement for that is not coming from me, its from the cybersecurity team who wants to inspect everything but even with that, they want it to be segregated inside an another encrypted tunnel (doesn't make any sense. To your second point. are you saying to capture the dhcp probes when they go to the DHCP server? yes, we tried that, i don't see any probes. and this is why im puzzled about what is going on. This is why i wanted to see if someone else implemented this and maybe have a better insight to what is being written in the documentation.
... View more
Jul 26 2025
3:25 PM
We haven't tested that, so im not sure. i might give it a try. unfortunately because of the nature of change process that we have, it can take up to 10 days to get an approval to test anything. But besides that, all i wanted to know how the documentation was trying to address this feature.
... View more
Jul 26 2025
3:23 PM
i can't believe that i have to reply to such comment. 1- people started saying that im not explaining properly or providing a complete topology, or my topology is not correct. (what is not correct about it? im very open to listen) 2- I was asking about something and conversation is getting dragged in unrelated direction. i asked about the document and the document only. 3- im well aware of how to distinguish who is a Meraki employee and who is not. 4- please don't preach to me about decorum because y'all instigated these kind of responses. 5- no one forced any of the people who commented to respond so please don't think i'm begging for help here. im merely bringing a technical conversation but people like you insist on derailing it with unrelated discussion. I don't see anyone trying to help so far, just projecting and self righteousness, such as your comment up here. Lastly, no one is shouting, if you have a language barrier and thin skin to fail to read between the lines, that's on you to feel offended over nothing. I didn't claim any entitlement for help, so please spare me this rant on how you are "just trying to help". because you aren't. if you have something constructive to add to the conversation, go ahead. i won't be responding to none-technical questions anymore or even have to justify what i'm saying.
... View more
Jul 25 2025
6:30 AM
I disagree with the sentiment that it doesn't matter what the DHCP packet looks like. And as Chris Greer says "wireshark/packet captures is the source of truth". it completely does, the size of the packet could be a problem since the Cisco SDWAN tunnel could be dropping the packet since im sure df bit is set (but that's an assumption). and that's why i want to see the packet and how it looks like. Based on that, traffic did exist and i was able to browse the internet, so clearly the MR and MX knows that there is traffic since the tunnel terminates at the MX and traffic exits there. That only means that either the MR isn't getting the response back or isn't sending it at all. And we know for a fact that we didn't get any probes from the MR as a DHCP packet. So that only means the MR code is broken and the probe isn't functioning/being sent at all.
... View more
Jul 24 2025
10:12 PM
what information did i not supply? What is the issue with the design if you say i didn't give the entire description? 2 contradicting statements. Regardless whether the design is the wrong one or not, does not address the fact that the document is not stating what is the right or wrong use case for it. or how it should be used. or how the DHCP packets are crafted. or what DHCP options are in them. Those are the important questions, not what our topology is at the moment.
... View more
Jul 24 2025
6:01 PM
i can't just throw random testing by just upgrading and hoping for the best. The question was, whether the documentation was trying to say one thing or the other. what is the correct use case of this feature. Further more, the SDWAN solution is called Cisco SDWAN, i didn't say viptela because it wouldn't make sense to say that. this renaming was done way back in 2019.
... View more
Jul 24 2025
5:59 PM
Since there is a requirement to backhaul all traffic back to the data center, guest traffic has been requested to be segregated.
... View more
Jul 24 2025
1:01 PM
i've looked through the dashboard again and this is what i see: MR 31.1.5.1 MX 18.211
... View more
Jul 24 2025
12:50 PM
Im honestly blown away how lackluster the troubleshooting process is on Meraki. you don't have the same tools that IOS-XE has, where you can run Packet trace to see if there are any drops on the dataplane QFP cpu to see if traffic is going through without disruption, EPCs, etc. This is a simple issue, how do people troubleshoot more complex issue. SMDH
... View more
Jul 24 2025
12:47 PM
2 Kudos
I will double check on the code releases as i fetched them from a monitoring tool (API call) and im not sure how to navigate the convoluted meraki dashboard to get something as easy as that info. in regards to the connectivity, the SDWAN tunnel bridge the communication as if both the datacenter and branch are directly connected. so they don't change any ips during the transport. SDWAN tunnels are supposed to prevent the need for NAT unless you want to NAT lan side traffic explicitly to go natted inside the tunnel or DIA access for local internet. The internet connectivity overall is hauled back to the data center for the branches to reach it. so everything must go through the data center to get to the internet. So i don't see why would this work. Even if the 2 datacenters want to talk to each other they are also connected over the SDWAN tunnels.
... View more
Jul 24 2025
12:18 PM
the APs tunnel back to the MXs and yes, they are set to concentrator. No NAT involved. MR44 -> "firmware": "wireless-31-1-5" MX100 -> "firmware": "wired-18-1-07"
... View more
Jul 24 2025
12:04 PM
Disclaimer: i'm still new to Meraki, so if you are going to flame me for not knowing something, remember that i'm upskilling at the moment. Overview of the Topology for the issue listed below We've had an outage (on our Guest wifi) when the inside interface for the firewall at Data center 1 wentdown, because we didn't have a secondary MX set for the APs at our branch network. -We have 2 MXs, one at each Data center. -Each Data center uses it's own DHCP server for Guest Wifi. -The DHCP servers are on a Catalyst 9300 switch (we've excluded range of IPs). -We've decided to enable the feature in the documentation below, however that turned out to be a disaster. (When we raised this to Meraki TAC, they don't even understand how this feature works, unsurprisingly). Meraki TAC is still trying to figure this out and wanted to see if the community has anything to add. -We enabled the HA for MX concentrators. -DHCP requests has to go through the Inside interface (dedicated for Guest-wifi) to reach the DHCP SVI on the cat9300 switch. -The UI is bugged that when you selected "Re-associate" clients and save the page, then the page reloads that it's still marked as "don't re-associate". -Once you put an ip in the "tunnel health ip" field, try to delete it and save, the ip will show up again upon refresh of the page. (Clearly a bug). -Both DHCP scopes are reachable for the Access points at the branch and we've confirmed that through my personal cell phone wiifi connection and what ip addresss it grabbed. so if DHCP probes are somehow blocked, my cell phone shouldn't be able to get an ip from Guest-wifi. -Once we've enabled that feature, the Guest Wifi at a pilot site kept flapping back and forth between the 2 data centers. Changed VPN connections (8): • The teleworker VPN connection to XXXXXXXXXX's SSID Guest in network Branch XXXXXXXXX is now down. • The teleworker VPN connection to XXXXXXXXXX's SSID Guest in network Branch XXXXXXXXX is now down. • The teleworker VPN connection to XXXXXXXXXX's SSID Guest in network Branch XXXXXXXXX is now up. • The teleworker VPN connection to XXXXXXXXXX's SSID Guest in network Branch XXXXXXXXX is now down. • The teleworker VPN connection to XXXXXXXXXX's SSID Guest in network Branch XXXXXXXXX is now down. • The teleworker VPN connection to XXXXXXXXXX's SSID Guest in network Branch XXXXXXXXX is now up. • The teleworker VPN connection to XXXXXXXXXX's SSID Guest in network Branch XXXXXXXXX is now down. • The teleworker VPN connection to XXXXXXXXXX's SSID Guest in network Branch XXXXXXXXX is now down. -We've received overnight an alert twice a minute from the logs above. -The documentation doesn't mention exactly what is the acceptable use case for this feature. -It doesn't show an example of how those DHCP packets look like and what flags are expected that the DHCP server is going to acknowledge. -We've pointed the tunnel health IP field to the SVI of the DHCP scope on the Catalyst 9300 switch where the primary MX is. (The documentation doesn't say which DHCP server that this need to be pointed at, again no clear use case is defined here). And we changed that to the standby. (The issue persisted) -We didn't see any logs on the firewall inside interface that it was blocking anything. -I ran packet capture on Cat9300 switch (at both datacenters) but i don't see anything coming as a probe. -The ip address that the Tunnel health ip probes are pointing at is excluded from the DHCP scope. -The documentation doesn't even say what the source ip of those probes are going to be when you set an ip address in that field. What are we doing wrong here? how does this feature work? what DHCP options are included in those DHCP probes? -Documentation for the feature i'm talking about: https://documentation.meraki.com/MR/Access_Control/Secondary_MX_Concentrator_for_MR_Teleworker_VPN
... View more
Labels:
- Labels:
-
SSID
Jul 1 2025
10:14 AM
That's unfortunate.
... View more
Jul 1 2025
9:55 AM
Hi, Disclaimer: This is my first post in the Meraki Community and still picking up on the technology. So please be gentle if you are going to flame me. We've recently experienced an outage for our Guest-Wifi SSID at several branch locations where the Access points connects back to a concentrator over the Cisco SDWAN tunnel to our datacenter where the Meraki concentrator is. Found out that there is a button called "Test connectivity" under the access point portal (wireless -> configure -> Access Control). That helped us isolate that there was a connectivity issue preventing the Access point from broadcasting the SSID. Using that botton helped determine that. Now we are aiming at creating a script that will run such test everyday in the morning and after hours to make sure that all sites are running as they should be. However, looking throught he api documentation, i wasn't able to find anything related to that button (including looking through the forum before posting). Can someone guide me in case i didn't do my due deligience?
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 3052 | |
| 2 | 3937 |
© 2025 Cisco Systems, Inc.
