Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About e39_540i
e39_540i
Getting noticed
Member since Jul 2, 2019
Nov 15 2022
Community Record
27
Posts
2
Kudos
0
Solutions
Badges
Nov 15 2022
7:58 AM
Please stop. I've already received 4 notifications from the thread, I didn't need an additional private message to know that you've responded here.
... View more
Nov 15 2022
7:44 AM
So is the answer that I don't have the option to configure it? Or that I need to open a support case? Sorry, but unless you have a definitive answer, I'd like to hear from anyone who actually knows.
... View more
Nov 15 2022
7:26 AM
Hi all, we've recently transitioned from Cisco AnyConnect to Meraki AnyConnect and still have the age-old issue of users unable to change their passwords if it has expired before the next time they log in to the VPN. Question: Is it possible to inform the user that their password has expired when they go to log into the VPN and ALSO allow them to change it at that time?
... View more
Feb 28 2022
2:37 PM
Hey just a heads up, I went back and cleaned this up and removed syslog-ng altogether as I didn't want to have to maintain a different application just to collect the Meraki logs. I might re-install it if I need to push other logs to this server but for the time being, I'm only sending Cisco FP and Meraki logs. In order to do this, I downloaded and installed the Sumo Logic Installed Collector on my Linux server. With the collector installed, you simply need to configure the sources (your Meraki devices) in the Sumo Logic dashboard with the corresponding IP and port numbers. Use these docs to get things going: 1. https://help.sumologic.com/07Sumo-Logic-Apps/22Security_and_Threat_Detection/Cisco_Meraki/Collect_logs_for_the_Cisco_Meraki_App 2. https://help.sumologic.com/03Send-Data/Sources/01Sources-for-Installed-Collectors/Syslog-Source From this article, this was the important piece for me -- For multiple syslog collections, set up a separate Source for each and set a separate port number for each. Hope that helps. I'm now able to ingest the Meraki logs without configuring a whole bunch of overhead for syslog-ng.
... View more
Feb 28 2022
2:32 PM
They still need to connect to the VPN when they work from home. I think you may have misunderstood my question. Users will work from home a majority of the time. Occasionally, they will come into the office and connect either via ethernet or wireless. At that time, we don't need them to use the Meraki Client VPN. Hope that clears things up.
... View more
Feb 28 2022
2:09 PM
This is probably a very very basic question but I need some clarity. We have corporate office networks across the US and users connect to them via the Meraki Client VPN. When they come into the office, we obviously don't need them to connect to the VPN at that time. What is the correct way to configure the MX to block or prevent users from connecting to the VPN when they are connected to the local network?
... View more
Jan 4 2022
8:17 AM
Hey @Sumo_int9898 , I would have loved to have pushed it to an S3 bucket but they are going to the EC2 instance itself. Once Sumo ingests the log, the data in the log file itself is no longer required. You should also be able to set a retention policy on the Sumo Logic side for compliance purposes. You could theoretically set a cron job on the EC2 instance to clear out the files on a daily basis as they would not be needed for any considerable period.
... View more
Feb 9 2021
9:02 AM
Just following up to provide some snippets of my actual config file, here's how I have it configured (generalized for privacy). Also, if there's any way to clean this all up, any input is much appreciated. I am a novice with Linux and even more-so with syslog-ng. #define syslog source -- a.b.c.d in this section referring to the syslog server. #source s_net { udp(ip(0.0.0.0) port(514)); }; #source s_net { tcp(ip(0.0.0.0) port(514) max-connections (5000)); udp(); }; source s_net { udp(ip(a.b.c.d) port(514)); }; source s_meraki_flfw { udp(ip(a.b.c.d) port (514)); }; source s_meraki_cafw { udp(ip(a.b.c.d) port (514)); }; source s_meraki_cofw { udp(ip(a.b.c.d) port (514)); }; source s_meraki_gafw { udp(ip(a.b.c.d) port (514)); }; source s_meraki_mnfw { udp(ip(a.b.c.d) port (514)); }; #filtering filter f_meraki_vmx100_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); }; filter f_meraki_vmx100_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); }; filter f_meraki_flfw_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); }; filter f_meraki_flfw_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); }; filter f_meraki_cafw_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); }; filter f_meraki_cafw_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); }; filter f_meraki_cofw_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); }; filter f_meraki_cofw_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); }; filter f_meraki_gafw_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); }; filter f_meraki_gafw_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); }; filter f_meraki_mnfw_flows { host(x.x.x.x) and match("flows" value ("MESSAGE")); }; filter f_meraki_mnfw_urls { host(x.x.x.x) and match("urls" value ("MESSAGE")); }; #destination files destination df_meraki_vmx100_urls { file("/var/log/meraki_urls.log"); }; destination df_meraki_vmx100_flows { file("/var/log/meraki_flows.log"); }; destination meraki_flfw_flows {file("/var/log/firewalls/meraki/flfw/mx_flows.log"); }; destination meraki_flfw_urls {file("/var/log/firewalls/meraki/flfw/mx_urls.log"); }; destination meraki_cafw_flows {file("/var/log/firewalls/meraki/cafw/mx_flows.log"); }; destination meraki_cafw_urls {file("/var/log/firewalls/meraki/cafw/mx_urls.log"); }; destination meraki_cofw_flows {file("/var/log/firewalls/meraki/cofw/mx_flows.log"); }; destination meraki_cofw_urls {file("/var/log/firewalls/meraki/cofw/mx_urls.log"); }; destination meraki_gafw_flows {file("/var/log/firewalls/meraki/gafw/mx_flows.log"); }; destination meraki_gafw_urls {file("/var/log/firewalls/meraki/gafw/mx_urls.log"); }; destination meraki_mnfw_flows {file("/var/log/firewalls/meraki/mnfw/mx_flows.log"); }; destination meraki_mnfw_urls {file("/var/log/firewalls/meraki/mnfw/mx_urls.log"); }; #bundle source, filter & destination rules log { source ( s_net ); filter( f_meraki_vmx100_urls ); destination ( df_meraki_vmx100_urls ); }; log { source ( s_net ); filter( f_meraki_vmx100_flows ); destination ( df_meraki_vmx100_flows ); }; log { source ( s_meraki_flfw); filter( f_meraki_flfw_flows); destination ( meraki_flfw_flows ); }; log { source ( s_meraki_flfw); filter( f_meraki_flfw_urls); destination ( meraki_flfw_urls ); }; log { source ( s_meraki_cafw); filter( f_meraki_cafw_flows); destination ( meraki_cafw_flows ); }; log { source ( s_meraki_cafw); filter( f_meraki_cafw_urls); destination ( meraki_cafw_urls ); }; log { source ( s_meraki_cofw); filter( f_meraki_cofw_flows); destination ( meraki_cofw_flows ); }; log { source ( s_meraki_cofw); filter( f_meraki_cofw_urls); destination ( meraki_cofw_urls ); }; log { source ( s_meraki_gafw); filter( f_meraki_gafw_flows); destination ( meraki_gafw_flows ); }; log { source ( s_meraki_gafw); filter( f_meraki_gafw_urls); destination ( meraki_gafw_urls ); }; log { source ( s_meraki_mnfw); filter( f_meraki_mnfw_flows); destination ( meraki_mnfw_flows ); }; log { source ( s_meraki_mnfw); filter( f_meraki_mnfw_urls); destination ( meraki_mnfw_urls ); };
... View more
Feb 8 2021
1:05 PM
1 Kudo
Hi @cmr, Its an Amazon Linux 2 AMI (AWS) and I'm running syslog-ng as I found recommended by various sources. I set up the sources as separate "lines" for each office so something like: s_meraki_vmx100 s_meraki_office01 s_meraki_office02 s_meraki_office03 and so on, trying to stay close to the Meraki documentation shown below #define syslog source
source s_net { udp(ip(192.168.10.241) port(514)); };
#create individual filters to match each of the role categories
filter f_meraki_urls { host( "192.168.10.1" ) and match("urls" value ("MESSAGE")); };
filter f_meraki_events { host( "192.168.10.1" ) and match("events" value ("MESSAGE")); };
filter f_meraki_ids-alerts { host( "192.168.10.1" ) and match("ids_alerted" value ("MESSAGE")); };
filter f_meraki_flows { host( "192.168.10.1" ) and match("flows" value ("MESSAGE")); };
#define individual destinations for each of the role categories
destination df_meraki_urls { file("/var/log/meraki_urls.log"); };
destination df_meraki_events { file("/var/log/meraki_events.log"); };
destination df_meraki_ids-alerts { file("/var/log/meraki_ids-alerts.log"); };
destination df_meraki_flows { file("/var/log/meraki_flows.log"); };
#bundle the source, filter, and destination rules together with a logging rule for each role category
log { source ( s_net ); filter( f_meraki_urls ); destination ( df_meraki_urls ); };
log { source ( s_net ); filter( f_meraki_events ); destination ( df_meraki_events ); };
log { source ( s_net ); filter( f_meraki_ids-alerts ); destination ( df_meraki_ids-alerts ); };
log { source ( s_net ); filter( f_meraki_flows ); destination ( df_meraki_flows ); };
... View more
Feb 8 2021
11:17 AM
Hi all, I recently posted about setting up the syslog server and sending logs from my Meraki devices but I've come across another issue. I'm able to get log information from my VMX100 just fine. However, when I try to add multiple sources (we have 5 offices that I need to be able to send syslog data from), the syslog server doesn't appear to be handling them correctly, or at all. As soon as I add a second network source, the original source will stop writing. For example: 1. VMX100 is configured and currently writing to the syslog server 2. Configure Network 1 to write the same syslog server 3. Network 1 begins writing to the syslog server and the expected destination file but now, the VMX100 stops writing to its log file. I initially thought it was an issue when adding all of my networks in but I tried adding it in one by one and experienced the same behavior. Also, has anyone seen any issues where a Meraki device doesn't generate any syslog data at all? I tried a packet capture and couldn't see anything on one of my MX64Ws despite enabling the syslog feature.
... View more
Jan 25 2021
11:38 AM
1 Kudo
Thanks for your help! Looks like I had misconfigured the security group and set it for TCP instead of UDP. I configured my other firewall correctly for UDP but wasn't testing with that device just yet. Recreated the security group and I'm now receiving data to my flows and urls log files! BTW, I am still using port 514 and did not have to switch to 1514 (will keep this in mind, though, if we run into issues in the future). I'm now working on trying to get these log files ingested by a SIEM solution (Sumo Logic) we're looking to implement so this has been a really good learning lesson for me. I may continue to post here rather than open up a new thread just to keep things organized in case anyone else runs into issues configuring syslog-ng on an AWS Linux 2 EC2 instance.
... View more
Jan 25 2021
8:42 AM
@PhilipDAth wrote: I don't know the answer. I believe the s_net is the interface on the syslog service that will be used to listen to incoming messages - not the IP address of the VMX. Try: source s_net { tcp(ip(0.0.0.0) port(514) max-connections (5000)); udp(); }; That was totally my fault. I had misread that particular line in the documentation and entered the source s_net as the IP address of the VMX. I've corrected that and the service is no longer failing with the IP address of the syslog service. However, I'm not seeing it listening. Any ideas if I need to manually set it to listen or should it be listening by default once configured?
... View more
Jan 25 2021
6:48 AM
Thanks for your reply, @PhilipDAth. Based on the documentation here: https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration Is there any issue with that initial part of the statement that shows "tcp" since the document linked above shows that Meraki sends syslog over UDP? I'll give this a shot.
... View more
Jan 24 2021
4:49 PM
Hi all, As the title suggests, I'm attempting to configure syslog-ng on an AWS Linux 2 EC2 instance and I should state that I'm quite a novice when it comes to Linux so there were some stumbling blocks getting the syslog server setup but I believe I've got everything running now, unfortunately, I'm running into some error messages when I attempt to configure one of our appliances, a virtualized VMX100, in the same AWS environment, to send its logs to the server. I confirmed with Meraki support that they could see traffic being sent out via port 514. However, when I configure the s_net source in the syslog-ng.conf file, as soon as I switch the IP address or uncomment the line and enter the IP address of the VMX, the service fails shortly after. Or, if I restart the service, it will fail to start. There seems to be an issue binding the IP address and port. As soon as I comment out the line and go back to the mostly default config, the syslog-ng service runs fine without issues. Attached is a screenshot of the exact error message I get whenever I try to switch that source to the IP of the VMX100" some more info: journalctl -xe - The result is failed. Jan 22 18:58:37 ip-addr-here systemd[1]: Unit syslog.socket entered failed state. Jan 22 18:58:37 ip-addr-here systemd[1]: syslog-ng.service failed. Jan 22 18:58:37 ip-addr-here dhclient[2880]: XMT: Solicit on eth0, interval 130400ms. ---- Jan 22 18:51:52 ip-ip-addr-here syslog-ng[8939]: syslog-ng starting up; version='3.5.6' Jan 22 18:51:52 ip-ip-addr-here systemd[1]: Listening on Syslog Socket. Jan 22 18:51:52 ip-ip-addr-here systemd[1]: Starting Syslog Socket. Jan 22 18:51:52 ip-ip-addr-here systemd[1]: Starting System Logger Daemon... Jan 22 18:51:52 ip-ip-addr-here systemd[1]: Started System Logger Daemon. Jan 22 18:52:39 ip-ip-addr-here dhclient[2880]: XMT: Solicit on eth0, interval 128120ms. Jan 22 18:54:48 ip-ip-addr-here dhclient[2880]: XMT: Solicit on eth0, interval 108460ms. Jan 22 18:56:36 ip-ip-addr-here dhclient[2880]: XMT: Solicit on eth0, interval 120920ms. Jan 22 18:56:50 ip-ip-addr-here syslog-ng[8939]: syslog-ng shutting down; version='3.5.6' Jan 22 18:56:50 ip-ip-addr-here systemd[1]: Stopping System Logger Daemon... Jan 22 18:56:50 ip-ip-addr-here syslog-ng[8952]: syslog-ng starting up; version='3.5.6' Jan 22 18:56:50 ip-ip-addr-here systemd[1]: Stopped System Logger Daemon. Jan 22 18:56:50 ip-ip-addr-here systemd[1]: Starting System Logger Daemon... Jan 22 18:56:50 ip-ip-addr-here systemd[1]: Started System Logger Daemon. Jan 22 18:58:00 ip-ip-addr-here syslog-ng[8952]: syslog-ng shutting down; version='3.5.6' Jan 22 18:58:00 ip-ip-addr-here systemd[1]: Stopping System Logger Daemon... Any help would be greatly appreciated!
... View more
Jan 22 2020
9:21 AM
Figured out what was going on here. Google requests would routinely get routed to servers in Mexico. Our L7 firewall rules are currently set to only allow communication to/from certain countries and Mexico is not one of them. When the searches would time out, I could go into the search bar and change it to .co.uk and it would immediately return the search result. nslookup helped pinpoint this issue if anyone runs into this in the future. Meraki uses MaxMind for their GeoIP lookups so it all makes more sense now. My question now is, is there a way to prevent our network users from resolving to Google's servers in Mexico?
... View more
Jan 9 2020
9:24 AM
I'll give it a shot. If anyone else has any ideas, I'm all ears.
... View more
Jan 9 2020
9:00 AM
We have CarbonBlack installed as our AV/endpoint protection. As far as DNS, we use AWS' Managed Active Directory solution so I noticed when I do an nslookup it is using one of the two servers. For instance if I say nslookup google.com, it shows me the AWS Managed AD IP address and finally the non-auth answer for google.com.
... View more
Jan 9 2020
8:54 AM
Unfortunately, we don't have Web search filtering under Content Filter. Would have been nice if that were the case then I could just disable that. We actually don't have AMP enabled at the moment (although I thought we did). We do have IDS set to Prevention and Security.
... View more
Jan 9 2020
8:23 AM
Hi all, I'm trying to track down an issue where Google Search will timeout multiple times a day. Behavior: Open a new tab to perform a Google search with Google Chrome and the tab just spins and eventually times out. Sometimes I can open Microsoft Edge and get to google.com to search while Chrome is still spinning. This happens on the wired or wireless network. System Specs: Windows 10 Windows patches up to date Any desktop/laptop I've tried doing a packet capture with wireshark but I'm not seeing the problem. I might not be looking for the right entries (just looking at DNS requests) so if you have any pointers, please let me know. It certainly feels like a DNS issue but this is happening at other offices (in different geographical locations) that have their own DNS settings. I've also tried looking at the Meraki Event Logs for the specific client but nothing out of the ordinary shows up. I can still ping google.com when this is happening. Any ideas?
... View more
Dec 4 2019
11:59 AM
From the VPN Status page, right around the time this was happening between the two offices. However, the peer that is listed isn't one of the two offices that fired off the alerts.
... View more
Dec 4 2019
11:28 AM
Can anyone help me understand what's going on here? Yesterday, we received over 300+ emails regarding our site-to-site VPN connectivity. I looked at all of our networks and only found one whose ISP might have been experiencing some packet loss but I couldn't find anything conclusive. Naturally, these alerts bring about cause for concern but I'm not well-versed enough in networking to understand and explain the root cause. We have 4 offices across the US and a vMX in AWS. Two offices have MX64Ws and two have MX84s. In looking at the event log for my office, I see the following (I've removed IP addresses) Dec 4 11:13:33 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Transport x.x.x.x[4500]->x.x.x.x[4500] spi=888265128(0x34f1d9a8) Dec 4 11:13:33 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Transport x.x.x.x[4500]->x.x.x.x[4500] spi=206994847(0xc567d9f) Dec 4 10:59:36 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Transport x.x.x.x[4500]->6.1.0.0[4500] spi=3964283478(0xec4a2a56) Dec 4 10:59:35 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Transport 6.1.0.0[4500]->x.x.x.x[4500] spi=234977461(0xe0178b5) Dec 4 10:55:21 Non-Meraki / Client VPN negotiation msg: unknown Informational exchange received. Dec 4 10:55:21 Non-Meraki / Client VPN negotiation msg: IPsec-SA established: ESP/Transport x.x.x.x[4500]->6.1.0.0[4500] spi=1005843818(0x3bf3f56a) Dec 4 10:55:21 Non-Meraki / Client VPN negotiation msg: IPsec-SA established: ESP/Transport x.x.x.x[4500]->6.1.0.0[4500] spi=29252204(0x1be5a6c) Dec 4 10:55:21 Non-Meraki / Client VPN negotiation msg: ISAKMP-SA established x.x.x.x[4500]-6.1.0.0[4500] spi:19289d9b7b15ae4a:865153a03b9cd61e Dec 4 10:55:20 Non-Meraki / Client VPN negotiation msg: invalid DH group 19. Dec 4 10:55:20 Non-Meraki / Client VPN negotiation msg: invalid DH group 20. Dec 4 10:55:20 Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY Dec 4 10:47:36 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Transport 6.1.0.1[4500]->x.x.x.x[4500] spi=264265771(0xfc0602b) Dec 4 10:47:35 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Transport x.x.x.x[4500]->6.1.0.0[4500] spi=3964283478(0xec4a2a56) The IP addresses were my public and what I can only assume is the next hop to the carrier (same county, different city). The "expired" messages are concerning but realistically, there's no discernible impact to any of the interconnected offices when these alerts are firing off. I'd appreciate any help and insight anyone can provide. Is there maybe a parameter we can increase if this is a timeout/heartbeat issue? These alerts may be causing undue stress. Thanks in advance.
... View more
Dec 3 2019
6:54 AM
MX64W showing up to date (14.40).
... View more
Dec 2 2019
2:23 PM
Has anyone else had this problem? I have an MX64W. I have a number of L3 and L7 firewall rules set but would like to create a Group Policy to allow a specific set of users (HR) to have access to a site that is in Canada. I add all the L3 and L7 rules into this new Group Policy and just as soon as I do, users can no longer access a different site (meetings.ringcentral.com) despite not even having the GP applied to any of these users/clients. I don't have anything set to apply GP to specific subnets, all of that is set to off/disabled. I can't sort out why wireless clients are having this issue. I had a different (but related) issue on another network that uses Meraki APs. All wireless users were booted off of the APs and could not get back on. I deleted the Group Policy and that let the users back onto the wireless. I should say this Group Policy was enabled on Wednesday of last week. Any ideas? I'm not sure what's going wrong but maybe there's configuration I'm missing somewhere.
... View more
Oct 9 2019
2:38 PM
Thanks @PhilipDAth, That answers my question. I appreciate you replying to this old thread! Hopefully this info is helpful to others looking for this info as well. Quick edit: If RADIUS doesn't get computer information, what mechanism would make it possible to authenticate the computer/device the user is logging in from? Would we have to use something different altogether?
... View more
Oct 9 2019
12:03 PM
Hi @PhilipDAth, Can you elaborate on why this isn't possible? We're looking to implement this (we already have RADIUS configured to authenticate based on a specific user group) but it sounds like it wouldn't work. NPS in Windows Server 2012 has the option to do both user and computer via Windows Group (which says it does both?), or, one or the other meaning you can select Machine Groups or User Groups. Is this a limitation on the Meraki side?
... View more
My Top Kudoed Posts
© 2024 Cisco Systems, Inc.
