Hello, I had the same problem but by changing the AnyConnect connection port (other than the default port 443) I no longer have any unwanted connections. Scanners usually use the default port 443 to attack so it's best to change it. ... View more

I see, so there isn't a way to have it load balance to a range of hostnames. That's the detail I was missing here. ... View more

You could use the built-in feature on Windows Update called ""Metered Connection"" to block the Windows 11 update temporarily. ... View more

We have this issue as well.  MX450's acting as vpn concentrators in 1-armed mode running latest firmware.  The issue is actually the 'frames per second' table maximum of 500k is reached when scanning through to the branch locations.  When the FPS table is maxed it causes major performance degradation.  There's no solution support has provided other than to add more MXs and split up our remote auto-vpns to multiple concentrators to try and limit the impact.  We have about 150 branch locations. ... View more

I cannot comment on feature developments in that regard right now unfortunately. ... View more

I also agree with Phil here, and want to give a bit more technical context on this response.   A DDoS falls under the broader umbrella of what's known as a resource exhaustion attack: https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-015_Denial_of_Service   While I've seen varying descriptions, in general, any resource can fall under such an Umbrella, including network bandwidth. If someone's saturating your uplink with garbage downlink traffic, there's very little mitigating it on your network perimeter would really accomplish anyway. In a more traditional sense, we can't mitigate against a DDoS consuming CPU or memory either; processing that many inbound packets through our IPS and inbound firewall is always going to consume both. ... View more

Just to give fair warning, in its current form,  it's a *very* limited support feature, and it's far from being something Meraki Support can recommend using. ... View more

SFTP is all tunneled over SSH, which removes the need for such NAT hacks. Past experience has dictated that any sort of NAT considerations for FTP aren't likely to be implemented given that FTP is a cleartext protocol that transmits usernames and passwords unprotected.   As for the the firewall rules, "implicit" implies that it's an unspecified behavior, which is not the case. Yes, there's a default allow rule, but it's very much explicit. ... View more

Go on Meraki dashboard, go to help and cases.     ... View more

Alex, For those of us that were up to date on our patchwork can you tell me if there is any kind of follow up action who's results will be shared to the community so that they can explain what happened and how it is being addressed?  I appreciate consideration you may make in response to my question.  Thank you, Scott D Hansen - DBA - Systems Engineer ... View more

FYI, if you ever have any concerns about the origin of a file, you can click on the link in the details section to obtain a SHA256 hash of the file, along with a link to any results VirusTotal may have for it.   If VT doesn't have any hits, just a general Google search for the file hash is usually enough to give you a range of results to help learn more about the file in question ... View more

Hello,   Just an FYI, that NBAR, and indeed the L7 firewall as a whole,  are not related to Content Filtering in any way, including the change from our previous content filtering provider to Talos. They are two separate features that rely on entirely different methods of identifying and blocking traffic.   Please continue to work with Support on looking into this, as we've recently made some considerable changes to NBAR as of last month's 16.16.4 patch, ones large enough that demand we take fresh data sets before we can continue to evaluate this any further. ... View more

Cheers for the reply   I'm stuck with a vendor using TFTP right now as their device is only coded for TFTP (Quite old device) I'm going run a local TFTP server to get around this problem as it's only a one off problem for now. ... View more

Thank You!  I can't believe it.  After troubleshooting everything and pulling my hair out, it was the wrong documentation in the end provided by Cisco.  As soon as I updated Phase2 everything worked. ... View more

Another +1 from May 2022, after creating a bunch of policy objects as well.    2 Years in Beta for something that almost every competing firewall has had for years...? ... View more

Yes, you can do this from the dashboard UI easily under firmware if within so many days of the update, if past that just manually force the stable version firmware to the MX. ... View more

I'll follow up with Spectrum on that and see what they say. This thread has been much more constructive so far than my support ticket, so I'm very appreciative!   Are there any behind the scenes logs that may or may not show what the MX is doing when I turn on the IPV6? It "thinks" it is connected as it shows the assigned /127 being green, but I'm not sure what logic it uses to determine that. ... View more

Another thing to bear in mind is that any potential bugs you may encounter on the AnyConnect Client itself may require TAC involvement to resolve that Meraki Support cannot provide, and licensing is required to be able to contact them. ... View more

This is the correct answer - Meraki Support can assist with some simple configuration questions for policies as they relate to the MX implementation, but deeper functionality on the AnyConnect client itself should be directed towards their TAC team instead. ... View more

Same things here. Blocked DNS requests as "XBOX Live" 😞   Disabled NBAR in Traffic analysis but i would like to maintain it to "detailed" and "all gaming" L7 rules! Please fix!     ... View more

We're in the process of transitioning models from 2.9 to 3 as of MX16 firmware ... View more

"Identity protection" refers to IKEv1 Main Mode; I'm not sure if Azure still allows for IKEv1, but it sounds like it might be expecting IKEv2 ... View more

Hello 888network, I had the same issue and I solved by performing the following:   Under Security & SD-Wan > Configure > Site-to-Site VPN - Go to VPN settings   1. Find the local networks you want to export (encrypt) through the tunnel    2. Set the VPN mode to Disable > Save   3. Set the VPN mode to Enable > Save This should trigger the traffic flow and the tunnel should come up.   Regards, Marco ... View more

https://documentation.meraki.com/MX/Site-to-site_VPN/IKEv1_and_IKEv2_for_non-Meraki_VPN_Peers_Compared#IKEv2 It's not that there can only be one subnet, it's that both sides need to be able to support building a single IPsec tunnel that encompasses each source and destination. The upside is that this scales a lot better, and is far easier to troubleshoot. The downside is, some vendors have been having to play catchup to the IKEv2 standard, and still impose the "one pair per IPsec tunnel" rule that existed in IKEv1. Last I heard, ASA was working on a new release that should resolve this, but I don't have any more info on what that looks like, or if it's out yet. ... View more