Meraki

GIdenJoe · ‎May 24 2023

You will need to provida A LOT more detail before any troubleshooting can occur. Are you talking about an autoVPN remote peer or a non-Meraki VPN IPsec peer? In case of the latter are you reaching from this site or from a remote Auto VPN peer towards something over an IPsec peer (in that case won't work). In case of AutoVPN, is the tunnel UP between both sites? If yes is there a site to site firewall entry? Is the device at the remote site correctly configured.

MK2 · ‎May 24 2023

... need to buy N-type screw on caps... Are they avaiable through Meraki or do you suggest any "supported" vendor?

GIdenJoe · ‎May 22 2023

It may be a good effort to test first. It makes sense it will bounce tunnels that are effectively changed. However if you put the same data that is already there I would be hard pressed to believe it would bounce those unchanged tunnels. However measuring = knowledge so you might want to have a test bed in a different org and check those. I don't have a lab with those devices to test this out.

Janitor · ‎May 19 2023

Hi Axl, We at Hamina make a fully Meraki-supported, Meraki-integrated SW for this. Hit me up if you'd like to discuss. It's also on the Meraki Marketplace: https://apps.meraki.io/en-US/apps/410018/hamina-network-planner

Shonken · ‎May 18 2023

Thank you everyone for your help in trying to fix this... Turns out I had to switch to Passthrough/VPN Concentrator mode and then the stars aligned and everything could talk. For anyone else that may stumble on this in the future this article was helpful even though its older: How to deploy a Cisco Meraki vMX100 into Microsoft Azure • AboutNetworks.net

alemabrahao · ‎May 18 2023

Definitely not, Aironet IE is a legacy feature and should be disabled, so Meraki devices do not support it.

Bucket · ‎May 15 2023

@Ryan_Pascoe Thanks, that makes a lot more sense. That also means the MS390 is a beast with Meraki GP compared to a C9300 with dACL, but I guess thats the advantage of using an access-list that exists locally on the switch.

RaphaelL · ‎May 11 2023

Good point ! I heard that they are going to bring lots of changes to the MX firewall in MX18.XXX.

GIdenJoe · ‎May 11 2023

It's time to whip out that hairdryer 😉

GIdenJoe · ‎May 10 2023

X marks the spot 😉

GIdenJoe · ‎May 10 2023

The features you request are not available on the Meraki software stack. I believe if you need those features you will need Cisco Catalyst at least at your distribution layer. If your access layer is layer 2 you can use Meraki MS switches if you like the dashboard for your monitoring but at the distribution layer and beyond you will need advanced platforms that support your features and those can be found in Cisco Catalyst. Remember that also 3 families of Cisco Catalyst switches can be monitored in dashboard but configured using CLI or other ways,

KarstenI · ‎May 8 2023

Good to know!

GIdenJoe · ‎May 5 2023

I'm not sure about that: the sentence below throws me for a loop 😉 quote: I have a few devices changing to wifi from wired but want to maintain the same static IP addresses and have them all grouped together.

EliseNemeth · ‎May 2 2023

Thank you.

PhilipDAth · ‎Apr 19 2023

It's not uncommon for Windows update to reset the client VPN settings, breaking client VPN. Try deleting one of the connections and setting it up from scratch again.

cabricharme · ‎Apr 19 2023

What I was looking for was something like this: Go to the Meraki dashboard for the site where the target host is located. (Not needed for single site configurations, required for multi-site ones.) Go to "Network-wide" - "Event Log", choose "for security appliances" at the top: In "client" field, put a MAC address belonging to the host at issue. Hit "search", see what comes up. In our case, this pointed to the root cause: misconfigured "content filtering" rules (or their misbehavior - I still can't wrap my mind around why they are behaving the way they are). Bottom line, for people who aren't too deep into networking or not too familiar with Cisco and Meraki, a little hand-holding goes a long way while RTFM links rarely work. Hope this helps someone else in a similar situation.

GIdenJoe · ‎Apr 17 2023

Meraki does not use any public facing bug ID's like Cisco does. Perhaps internal they use them but you should ask them directly. For now be assured that this is a known issue listed in the Firmware issues.

MerakiLife · ‎Apr 17 2023

Thanks - our GW for clients and servers is on the core switches at each site with a 0.0.0.0 route to the MX's for internet bound traffic. Logically I can see how and why we could move the solitary switch in our DC to the HQ but it scares me doing that. Never used the concentrator mode and not sure i fully understand it. We did use Meraki client VPN but now we use Cisco Anyconnect to an FTD NAT'd behind the MX's (which isn't the best setup).

GIdenJoe · ‎Apr 5 2023

If you capture your WAN interface and filter on the host IP of the other side or filter on port 500 or port 4500 you have to see the security association frames. It might be possible that you'll have to start a ping from an inside interface on your MX to an IP on the LAN on the other side (even if it does not exist) to trigger an attempt to bring up the tunnel. Also watch on your fortigate if it is set to responder only that you have to initiate on the MX in that case. If it is IKEv1 you should see 6 main mode messages and 3 quick mode messages. If you use IKEv2 you only have 4 messages. You have to filter on the same initiator SPI to get the packets only pertaining to a certain session or setup your wireshark with an IPsec profile containing useful columns to quickly see where in the exchange it is failing. You will see messages with INFORMATIONAL message coming from the device that does not like what the other side is sending. Most common are: - One or both of the devices are behind NAT and you are getting the IKE-ID wrong. (failure will happen right after the packets are encrypted) - You still have wrong parameters at any end and there are no matching phase 1 policies (you should see it fail after the first message) - You use IKEv2 and you have multiple local or remote networks and the device on the other side can't put everything in one SA.

Tobias_Kuhnert · ‎Apr 5 2023

i guess the cables i'm talking about are at least 6-7 years old.

GIdenJoe · ‎Apr 4 2023

You really need to survey the area and use multiple antennas to see what provides the best coverage. The AP is not the issue here because it is only allowed to send 9 dBm on 2.4 GHz because your antenna has 10.x to 11 dBi of gain totalling the EIRP at 20 dBm which could be the max in your region. However if you choose a slightly lower gain antenna you could up your Tx power to match that. 5 GHz is allowed to transmit higher but you get a 6 dB penalty due to the smaller receive antennas. Your area may simply be too large to cover with two antennas.

CptnCrnch · ‎Mar 31 2023

Im taking bets that @PhilipDAth will be the first one to achieve the 25k...and would very well deserve that badge! 🙂

alemabrahao · ‎Mar 29 2023

Take a look at this. https://freddejonge.nl/fortinet-to-meraki-site-2-site-vpn/

PhilipDAth · ‎Mar 29 2023

There are several ways you could look at achieving this. To do it based on MAC address, change the default layer 3 firewall rule to deny all access. Then create a group policy to override this, and allow access. Then apply the group policy against the MAC addresses allowed access. You could use iPSK per device instead (simpler, I think). https://documentation.meraki.com/MR/Encryption_and_Authentication/IPSK_Authentication_without_RADIUS

Macguy · ‎Mar 24 2023

Scratch that.... this morning just randomly roamed with fixed channel set. I give up, just going ethernet until I can test with M2. The disconnection reason in logs was "client not responding". My device had perfect connection and I was working normally.

About GIdenJoe

GIdenJoe

Joey Debra

Community Record

Badges