- About leadtheway
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
leadtheway
Getting noticed
Member since Jan 31, 2019
Friday
Community Record
63
Posts
3
Kudos
0
Solutions
Badges
08-28-2019
05:51 AM
yeah I confirm it as well, but the save changes button is always active and not grayed out indicating something needs saved
... View more
08-27-2019
04:17 PM
so not sure what I can do here. Basically this is the setup. Have an asa at corp site, with a bunch of asa's at other sites and just now using MX at a few new sites. Network is like this each site has 3 networks, one for data, voice and wireless...data goes 10.0.site number.0 voice 172.17.site number.0 wireless is whatever. so in this example two sites 10.0.60.0/24 172.17.60.0/24 10.0.70.0/24 172.17.70.0/24 both advertised in vpn, but the remote subnet of the meraki peer have private subnets being written as summarized. so 10.0.0.0/15 172.17.0.0/16 when i try to save the config on the MX i get this: The changes you requested require confirmation. Please review the following list The VLAN subnet 172.17.70.0/24 overlaps with a remote VPN subnet on the non-Meraki peer Corp00 (172.17.0.0/16). IP traffic will be routed to the smallest subnet that contains the IP address. The subnet on the non-Meraki peer Corp (172.17.0.0/16) overlaps with a subnet on the network 60 LOC - appliance (172.17.60.0/24). IP traffic will be routed to the smallest subnet that contains the IP address. it won't save but I can still ping across. Is there a way to do this so that the voice can talk to what it needs to?
... View more
08-23-2019
12:51 PM
i can see ACls and crypto map in the asa with a source of the asa subnets and destination of the MX subnets with ip service set to permit.
... View more
08-23-2019
12:34 PM
I used the wizard for the site to site in adsm...would it do it for me?
... View more
08-23-2019
12:14 PM
It looks like i can't even ping the next hop that is the mx...like 10.60.0.1
... View more
08-23-2019
12:01 PM
hmm says subnet not in table.,..i did see that the ASA subnets GW is a catalyst 4500.
... View more
08-23-2019
11:12 AM
Oh, so on the mx, those subnets should have static routes? heres the routing table Yes the ASA is the default for its connected subnets. I could post that config if it would help
... View more
08-23-2019
10:58 AM
the meraki is the DFGW for all the subnets of the meraki side. The meraki should make those uplink decisions correct? I'm trying to test right from the meraki mx pinging a host behind asa
... View more
08-23-2019
08:25 AM
Yes this is the doc I used. Currently there are a bunch of asa to asa site to sites so there was already an object group created for the asa subsets but they are summarized in a /15. Like the 10.0.0.0/15 actually has 10.0.3.0/24 and 10.0.4.0/24.
... View more
08-23-2019
07:11 AM
Having an issue with a meraki and an ASA site to site. When i first built tunnel it showed up, both green on meraki and showing MM_active in the crypto sa on the ASA. But Still can't talk to devices behind the asa. And periodically when I check asa vpn status it shows red, but when i try to ping something behind the asa i get 100% loss but the tunnel will then show green. Not sure if its an issue with meraki and using summarized subnets or something else. Anyone have experience with this?
... View more
04-01-2019
08:32 AM
so I need physical access? and does it have to be port 2 or can it be any?
... View more
04-01-2019
08:18 AM
Have several MX appliances, mix of 84 and 100's. Setting up backup internet connections on the 84 seemed straightforward, just edit WAN 2. I'm not seeing similar option on 100? is there a trick to it, i don't see where i can toggle one of the interfaces for WAN. Also, is there anything special about any settings for the failover or is it just plug and play
... View more
03-29-2019
07:39 AM
Setup Client VPN on MX100..connects fine. Specified nameservers for the DNS servers for AD domain. Confirmed that when connected its getting those dns servers. However can't resolve dns to ip. Am I missing something.. I can ping the dns servers from the mx fine.
... View more
03-25-2019
09:04 AM
so Have few vlans that for the most part standalone. i have 2 vlans created that we use for wireless...one for employee and one for guest, employee is allowed to talk to local lan, while guest is prohibited. But whats odd is if i put a pc and plug into an MS switchport on that guest vlan it can talk to any vlan. I assume this has to do with the wireless marshalling is being done based on SSID and not Vlan, so There probably needs something to restrict it on the MX/MS
... View more
03-25-2019
08:52 AM
I think what threw me was you saying drop down.. I see drop downs for the subnet advertisement, but the route was just a check box on the route config page. Thanks!
... View more
03-25-2019
08:48 AM
so after advertising it appears that route is in the other side route table. So thats all that needs to be done then?
... View more
03-25-2019
08:44 AM
not sure I'm following. I do use autovpn in mesh. I am advertising the subnet for the data vlan (which is where the 3rd party inside interface sits as well) i talk to other devices from the other site to that one (and all others) with no issue. But i need to be able to route specific traffic out one site only the this particular location as they share the same vendor. I've enabled advertisement of that route in vpn. Not sure what i need to do on the other site to make sure it can use it
... View more
03-25-2019
08:21 AM
how would i do that? So at a site I want to use i check in vpn, but what needs to be done at the other site? and what happens at the other sites that already have a static route becuase they have the 3rd party equipment onsite?
... View more
03-25-2019
08:08 AM
So have about 8 sites running either mx84 or 100. Theres a 3rd party that runs special software that creates a VPN with their hardware to allow machines to print from that software. To accomplish that they just have an inside interface on our side and i setup a route in the mx to send software for that traffic to that Inside IP and they forward through the vpn. Problem I have at one site is it doesn't have that 3rd party hardware and needs to use one of the other sites. I can't put the route in because next hop would be invalid. Is there a trick with advertising the route created at another site or another way to do it?
... View more
03-25-2019
08:04 AM
Just wanted to update everyone in case someone comes here with similar issue. So actually onsite there this weekend and got to troubleshoot with hands on. It was the weirdest thing..I could run pcap and could see the arp going out of the device but not getting an answer, yet in the Cisco 800 i could see it updating its arp table yet not receiving any arp request. So when the device would even try to ping it wouldn't go anywhere. But plugging in a device that has communicated before and was in the arp table it would work. Craziest thing i've ever seen. So resolution? Rebooted the 800 cisco...lol
... View more
03-12-2019
08:28 AM
yeah i can set the vlan on the stk no problem....the part that is crazy is, there are 3 stacks at this site all plugged into the 350, the stack that has the upstream router plugged into it is the one that isn't working
... View more
03-11-2019
04:53 PM
Yes the 350 is the RSTP root. Firmware is 10.45. Caveat to the laptop working..i think its arp cache is what allow it to work.. If i try to do a release/renew while plugged into stk1 it can't find dhcp etc...but if using its cached address it can.., if I plug it into either of the other two stacks it works fine, release/renew works as intended. Doing packet trace with meraki support they gave me this: Dell workstation connected to sw3/stk1 / port 48 is sending ARP requests for its gateway, i.e. 10.x.x.254, but it is not receiving any ARP replies. We see these ARP requests going out of sw1/stk1 / port 1. Furthermore, it looks like there may be some asymmetric routing going on upstream of sw1/stk1 / port 2, as: - Outbound traffic, i.e. from laptop to Internet, is using an HSRP MAC address as the destination MAC - Inbound traffic, i.e. from Internet to laptop, is using a Fortinet (90:6c:ac:3e:ec:d6) source MAC address
... View more
03-11-2019
04:53 PM
Yes the 350 is the RSTP root. Firmware is 10.45. Caveat to the laptop working..i think its arp cache is what allow it to work.. If i try to do a release/renew while plugged into stk1 it can't find dhcp etc...but if using its cached address it can.., if I plug it into either of the other two stacks it works fine, release/renew works as intended. Doing packet trace with meraki support they gave me this: Dell workstation connected to sw3/stk1 / port 48 is sending ARP requests for its gateway, i.e. 10.209.152.254, but it is not receiving any ARP replies. We see these ARP requests going out of sw1/stk1 / port 1. Furthermore, it looks like there may be some asymmetric routing going on upstream of sw1/stk1 / port 2, as: - Outbound traffic, i.e. from laptop to Internet, is using an HSRP MAC address as the destination MAC - Inbound traffic, i.e. from Internet to laptop, is using a Fortinet (90:6c:ac:3e:ec:d6) source MAC address
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 231 | |
| 1 | 220 | |
| 1 | 364 |
