Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About CGRE
CGRE
Here to help
Member since May 2, 2019
Thursday
Community Record
16
Posts
3
Kudos
0
Solutions
Badges
04-21-2022
06:03 AM
Yes, you can do this from the dashboard UI easily under firmware if within so many days of the update, if past that just manually force the stable version firmware to the MX.
... View more
04-11-2022
07:00 AM
Further issue with another customer who was moved to 17.6 now, this time related to content filtering categories changing between Brightcloud and Talos systems, this is mentioned it can change but whats frustrating is I can find no documentation to show a matrix or difference between old Brightcloud and new Talos databases, we've had to roll back a customer due to them complaining of it causing them issues.
... View more
04-08-2022
06:26 AM
2 Kudos
We've just seen issues with 17.6 on MX's with RADIUS based wifi authentiction, it broke the auth piece and we've had to roll back a load of sites as it caused client connection issues, we have a ticket logged on the issue. I do wish you could opt out of release candidate when on auto update to only get stable version code.
... View more
12-01-2021
07:12 AM
Also I believe Meraki only still support NTLMv1 which is deemed old and no longer used (disabled) by modern Windows server OS, the documentation doesnt mention this but Meraki support advised it only supports v1 and there are no current plans for this to change unless anyone knows different?
... View more
12-01-2021
04:21 AM
Unknown at this time, if they do have trusts between would this work, has anyone had this working on an environment like this?
... View more
12-01-2021
03:29 AM
I dont think this is possible but does anyone know if an MX will support AD integration with multiple AD domains, we have a customer with 6x domains and wants to use the AD integration piece on the MX's but on reading all of the documentation it does point to supporting a single AD domain not multiple?
... View more
Labels:
- Labels:
-
Other
10-01-2021
06:55 AM
If you have a vMX in Azure is there a way to be able to ping/poll with ICMP/SNMP without a full IPSEC tunnel to the vMX? With an MX you can enable SNMP and poll it from the public IP on a WAN interface, in Azure the public is assigned by Azure and the vMX appliance appears to be so locked down you cannot change anything on it nor assign an NSG to it to allow specific rules to it. I also noticed the vMX has the SNMP configuration but in the firewall page doesnt have the same allow source networks section as the physical MX's do. Has anyone found a way to allow these specific ports access on the public IP of the vMX in Azure, or is an IPSEC tunnel the only way (then poll the private IP of the vMX)
... View more
Labels:
- Labels:
-
Azure
09-23-2021
08:19 AM
Thanks but I am only talking about IPSEC/Non Meraki VPN here not AutoVPN
... View more
09-23-2021
07:47 AM
As I understand it IPSEC VPN on MX runs off whatever is set as the primary connection under shaping config, does it auto failover to the 2nd WAN port if the primary connection fails? I note it has no source info detailed in config so would assume it can use the primary by default and then failover to WAN2 if WAN1 failed (in a scenario where WAN1 is primary) Is that the case, am struggling to confirm this in Meraki docs about IPSEC.
... View more
Labels:
- Labels:
-
3rd Party VPN
09-08-2021
10:10 AM
Ok on doing some more work on this it appears the MX IPSEC tunnels do not like it if they dont have constant traffic, not sure what the timeout is but if they have no traffic passing the tunnel drops and you need a ping or something similar to get the tunnel up and working again, they dont stay up on their own, we're seeing this on multiple MX models in different customer estates. Does anyone know what the timeout is for the IPSEC drop out?
... View more
08-24-2021
09:41 AM
On more than one occasion I've seen it come from a random VLAN number, not the highest or even the lowest number, have seen this for both syslog and netflow and proved on packet captures, have a ticket running on the issue.
... View more
08-19-2021
07:31 AM
Hi, This is all mainly Cisco ASA's running IKEv1 and v2 to an MX, can be physical or vMX we seem to get the same issues. Tunnels will drop out for no apparant reason and stop working, they need a lot of intervention to get them going again it seems, has been on IKE v1 and v2 and to different ASA's different IOS versions etc. We dont use Fortinet kit so cant comment on those.
... View more
08-19-2021
01:00 AM
Completely agree, using AutoVPN with Meraki kit is rock solid, no issues at all, its the non-Meraki VPN aka regular IPSEC which seems to be very flaky for some reason, have tried with different vendors (and ironically most vendor kit we have is actually Cisco routers and ASA's) they seem to drop for no real reason when AutoVPN is happy and continues to work (so doesnt point to circuit issues etc). I can feel a make a wish coming on.
... View more
08-18-2021
02:23 AM
We've a number of different types of MX's under management, from what we've seen IPSEC on the MX is not that reliable, it can often drop out and seems to need a constant traffic flow otherwise it will drop IPSEC tunnels, has anyone else experienced this and managed to resolve?
... View more
05-21-2021
01:43 AM
1 Kudo
thanks both, will try this and see if it works, didnt realise the MX would just cope with it and allow a NAT for subnets it doesnt have on an interface.
... View more
05-20-2021
12:08 PM
We have a Meraki MX and an ASA, currently the ASA is happy with running the sets of public addressing (we can use both on the ASA) our ISP has issued. The ISP has issued the below on a single access circuit (this is the secondary circuit, we already have a working circuit/range in WAN1 which is different) this is exactly how the ISP describes the public subnets we can use on this circuit. WAN Pool:- 212.161.19.200/29 LAN Pool :- 217.111.163.168/29 We can use 212.161.19.200/29 fine no issue on WAN2 however we have a requirement to use IP's in the 217.111 range issued on the same circuit but we cant seem to do this on the MX, on the ASA it appears to just route to the interface and works but I cant see a way to get this second range working on WAN2 on my MX, is it possible? It looks like so far as its not part of the same subnet it wont allow routing to it.
... View more
My Top Kudoed Posts
