cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About Termont

Re: Clients sporadically cannot connect to Wi-Fi networks created by MR53E.

by in Wireless LAN
‎03-02-2021 01:37 PM
‎03-02-2021 01:37 PM
Wow! Long thread. Had very similar symptoms.   My problems started after noticing that one of our SSID had legacy WPA authentication configured. Changed it to WPA2/WPA3 but that forced users to reauthenticate and flooded the support desk. Word to the wise, always send a notice first...cuz users.   Anyways, I've put the settings back were they were and all came back as before, except for a few clients experiencing the occasional disconnect or not being able to connect with their cell phones.   However, I had forgotten to put back ONE settings that, at the time, I thought, hey, let's try that...   802.11w https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/802.11w_Management_Frame_Protection_MFP Had left it enabled. Disabled it and all my problematic clients reconnected fine. This thing is over 10 years old and does not seem to play well with others. So still on WPA and no 802.11w. I know...   Thank you. ... View more

Re: Advertising Static route in vpn

by in Security / SD-WAN
‎06-12-2019 06:43 AM
‎06-12-2019 06:43 AM
Hello!   What is the difference between setting the route here under Security & SD-WAN  >  Site-to-site VPN > Local Networks to YES under 'Use VPN' and ticking the box 'In VPN' from creating a static route under Addressing & VLANs?    https://documentation.meraki.com/MX/Networks_and_Routing/MX_Addressing_and_VLANs   In VPN: Determines whether the MX advertises this static route to site-to-site VPN peers. Thank you! ... View more

Re: Non-Meraki Peer Site-To-Site VPN and default route and 'In VPN' route

by in Security / SD-WAN
‎06-07-2019 04:21 AM
‎06-07-2019 04:21 AM
Thank you very much PhilipDAth, I will look into Cisco Umbrella for sure.   Once we provide our clients with Internet, we definitely do need some ACL and content-filtering to be applied. Right now, we are exploring the old school route with squid/e2guardian.   I understand what you are suggesting. We actually do have another similar setup to what you are suggesting with another provider for redundancy. With the other provider however, we use GRE over Ipsec and the GRE endpoint is actually on another appliance, a Cisco 4321. The GRE tunnel points to another IPsec tunnel on our Meraki but, everything coming out on the 4321 that is destined to the Internet does so by using the default route to our Meraki and then the Internet. Quite a more efficient setup. The 4321 is actually in a DMZ vlan that is solely used to create tunnels. This has the benefit of being able to apply content-filtering directly on the Meraki as it can only be applied to vlans it seems and not directly to the traffic coming out of the IPsec tunnel.   Nonetheless, for our primary uplink to our APN with the first provider, we are stuck with the current configuration. As a matter of curiosity and knowledge of the product, I am still pursuing answers in regards to our problematic setup.   Thank you for your answer, Have a nice day! ... View more

Re: Non-Meraki Peer Site-To-Site VPN and default route and 'In VPN' route

by in Security / SD-WAN
‎06-06-2019 11:43 AM
‎06-06-2019 11:43 AM
Shoot. One last thing.   What as precedence or how are the two linked:   the 'In VPN' feature when creating a static route and the VPN Settings found under  Security / SD-WAN / Site-To-Site VPN.   There, you can configure yes/no for 'Use VPN' under local networks.   Isn't that kinda redundant? ... View more

Non-Meraki Peer Site-To-Site VPN and default route and 'In VPN' route

by in Security / SD-WAN
‎06-06-2019 11:08 AM
‎06-06-2019 11:08 AM
Hello,              I am looking for clarifications on how the routing operates within the Meraki in regards to site-to-site vpns. There seems to be a difference between how routing occurs for client vpn and StS VPN.   We have deployed tablets that use LTE connections through a private APN. Our APN provider links his network to our LAN through StS VPN. Internet is blocked within the APN, so no split tunneling, and all traffic is fully tunneled to our Meraki.   I am trying to obtain Internet access for my StS vpn clients, the tablets.    This article, although not fully related to my questions, confirms within the first phrases that the client vpn of the Meraki establishes only full tunnels. This is confirmed by checking my public ip while connected through VPN from my laptop. https://documentation.meraki.com/MX/Client_VPN/Configuring_Split_Tunnel_Client_VPN   So, full VPN and Internet access through my Meraki ergo, it uses the route 0 of the meraki to access the internet from my client vpn subnet.   This is not the behavior for the StS vpn. I do NOT get Internet.   How come the StS vpn client do not get access to the Internet by accessing route 0 from my firewall?   In order to circomvent this issue, we added a static route 0 through the admin panel Security / SD-WAN / Addressing & VLANs / Static Routes.   Once route 0.0.0.0/0 is Enabled and 'IN VPN' is checked, our StS vpn client now obtain Internet access.   This in fact duplicates the 0.0.0.0/0 route as can be seen in in the general routing table in Security / SD-WAN / Route Table.   There, 0.0.0.0/0 route shows subnet, name etc. and  via shows '2 routes', one using the WAN uplink and the other created manually using the next hop specified in the manual creation.   Now, here is the kicker, from the static route creation panel, we configured that route to be Active "While next hop responds to ping" and configuring a non responding IP thus, logically, rendering that route inactive. From what I was told by our provider, this does render the route inactive in the routing table but makes it visible to the StS vpn clients by just by checking the box 'In VPN'.   How does the routing occur to the real 0.0.0.0/0 route then? This article seems to answer the question.   https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior   Route Priority   "traffic destined for an address for which multiple routes exist will be routed in the order of priority above"   Overlapping Routes are routed by route priority it seems, thus giving access to route 0 to my site-to-site VPN, am I understanding this correctly?   Not only that, when enabling or disabling that route, our StS vpn client seem to lose communication with some of the VLANs they should have access to. It was suggested that we should down the StS ipsec tunnel and up it again to trigger the full sync of the routing configuration from meraki cloud to the appliance. Does this make sens?   So to recap the questions:   How come the StS vpn client do not get access to the Internet by default by accessing route 0 from my firewall? Does Meraki Route priority explains why my static route 0 'In VPN' works? How is my static route 0 working with StS vpn client if it is not meeting the active condition? Would downing/upping the ipsec tunnel actually do anything and if yes, is there an enable/disable feature or do I actually need to delete the tunnel and recreate it to obtain the desired effect?   Thank you all for your answers. ... View more
© 2023 Meraki