Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join nowAbout MarcelTempelman
MarcelTempelman
Getting noticed
Member since Jul 10, 2019
Apr 28 2025
Community Record
57
Posts
18
Kudos
0
Solutions
Badges
Apr 4 2025
7:17 AM
Hi, I just thought I forgot to add this detail 🙂 Yes one of the MS250 switchstacks does the routing.
... View more
Apr 4 2025
4:24 AM
4 Kudos
Hi, This is a FYI post. We rolled back the MS17.2.1 to MS16.9 (MS250 switch stacks) at a few customer sites because it started causing problems for devices trying to communicate outside their VLAN. Because these are care locations we were unable to do extensive troubleshooting but this is what happens: - devices (camera's and Android based communication devices) connected to the switch or via MR36H work properly after the switch came up after reboot - after a while some of these devices stopped communicating with their primary server which is outside their VLAN (in Azure, reachable via VPN). Communication with the local server in the same VLAN was fine. - resetting a device or cycling a port would restore connectivity but after approx. an half hour problems started to arise again - not all devices were affected. Rollback to 16.9 restored functionality and solved the issues. I've opened a TAC-case with this information. As an engineer I would like to investigate this more and have a real root cause but the care for the clients at these site has priority. With kind regards, Marcel Tempelman.
... View more
Dec 4 2024
1:55 AM
Hi, A few quick questions : I noticed that non-meraki VPNs now support BGP routing. In any other case (ASA, routers, etc) I would associate this with Virtual Tunnel Interfaces. - So is Meraki supporting VTI-based VPNs without calling them VTIs? - What does this BGP-routing option mean for AutoVPN ; can external routes be advertised over AutoVPN? It seems very interesting (I've been waiting for some kind of VTi-support for quite some time) but I also have many questions 🙂 with kind regards, Marcel Tempelman.
... View more
Labels:
- Labels:
-
Firewall
Jun 10 2024
12:47 AM
It's a bit trial and error. We have about 10 subnets on both sides. I know that Meraki uses 1 SA for all traffic selectors when using IKEv2, I'm not sure about NSX-T (documentation is scarce). We're also using Fortigates at customer sites to connect NSX-T and we see little issues there (and also with ASAs). The 3rd party VPN issues is really holding us back selling these MXs to customers and that is a shame. For one customer we installed an MX in our datacenter and AutoVPN is rock solid but that's not our preferred solution (although I would'nt mind having a stack of customer MXs in the DC). In the meantime I hope Meraki will give the 3rd party VPN some more love (and add VTI !!!!!)..
... View more
Jun 10 2024
12:40 AM
We had some differences in the traffic selectors but we fixed that. It's only the phase 2 which is flapping like hell (network instability would affect phase 1) and we do not see these issues with Fortigates.
... View more
Jun 6 2024
1:07 AM
Hello all, We have a datacenter which is built with VMWare software and for networking we use NSX-T (we migrated from NSX-V this year). VPN-tunnels with NSX-V were not really super table but since the migration VPN-issues are almost a daily occurence. We have contacted support but their standard answer is almost always "we see no issues here" Phase 1 is in general reasonably stable but phase 2 is realy a headache. Jun 6 10:03:04 VDT-HEE-FW01 Non-Meraki VPN Non-Meraki VPN negotiation msg: <remote-peer-4|42> closing CHILD_SA net-4{4913} with SPIs ce45e2d6(inbound) (13761 bytes) 9c6df103(outbound) (30904 bytes) and TS 172.30.200.0/24 === 10.95.020.0/24 Jun 6 10:03:04 VDT-HEE-FW01 Non-Meraki VPN Non-Meraki VPN negotiation msg: Jun 6 08:03:03 13[IKE] <remote-peer-4|42> outbound CHILD_SA net-4{5315} established with SPIs cd5ee2be(inbound) 25593d03(outbound) and TS 172.30.200.0/24 === 10.95.020.0/24 Jun 6 10:03:04 VDT-HEE-FW01 Non-Meraki VPN Non-Meraki VPN negotiation msg: Jun 6 08:03:03 13[IKE] <remote-peer-4|42> inbound CHILD_SA net-4{5315} established with SPIs cd5ee2be(inbound) 25593d03(outbound) and TS 172.30.200.0/24 === 10.95.020.0/24 Jun 6 10:03:04 VDT-HEE-FW01 Non-Meraki VPN Non-Meraki VPN negotiation msg: <remote-peer-4|42> closing CHILD_SA net-4{4941} with SPIs c8ba247f(inbound) (50838 bytes) 67659a00(outbound) (92069 bytes) and TS 172.30.200.0/24 === 10.95.020.0/24 Jun 6 10:03:04 VDT-HEE-FW01 Non-Meraki VPN Non-Meraki VPN negotiation msg: Jun 6 08:03:03 07[IKE] <remote-peer-4|42> outbound CHILD_SA net-4{5314} established with SPIs c3892e57(inbound) 3d90e600(outbound) and TS 172.30.200.0/24 === 10.95.020.0/24 Jun 6 10:03:04 VDT-HEE-FW01 Non-Meraki VPN Non-Meraki VPN negotiation msg: Jun 6 08:03:03 07[IKE] <remote-peer-4|42> inbound CHILD_SA net-4{5314} established with SPIs c3892e57(inbound) 3d90e600(outbound) and TS 172.30.200.0/24 === 10.95.020.0/24 I see IPSec-SAs coming up and going down and although it seems most of the time it does not affect the connectivity sometimes we suddenly lose connections and we have much difficulty restarting the tunnel because not all IPSec SA become operational. Last night I have cleaned up the traffic selectors on both sides and that seems to clear up a lot in the logging (which is not surprising) but I keep seeing these IPSec SA going up and being torn down. Troubleshooting at NSX-T can be done but has to be done at the Linux-level because VMWare does not provide any sensible tooling for that. We have support from a VMWare partner but as goes with a lot of server focused companies they have only the bare minumum knowledge about networking.... Phase 1 and Phase 2 are both the same. We run IKEv2 but we have tried IKEv1 but that is way more unstable. My question is : does anyone have any experience with VMWare NSX-T and Meraki VPN-tunnels?
... View more
Feb 13 2024
11:54 PM
Good to hear and it was a pleasure to help!
... View more
Dec 18 2023
12:56 AM
2 Kudos
Hi, when I was playing with the new AP Neighbor option I saw that AutoRF makes strange choices when it comes to channel planning: We're mostly using 40Mhz channels on 5Ghz and what I see is: - Some channels have the lower channel as primary channel, others have the upper channel as primary - AutoRF does not avoid overlap : I see often secondary channels overlapping due to this - AutoRF thinks that Channel 64/100 is also a perfect pair (have never seen this before with other vendors). Although this might technically all work fine (have had no complaints) but I'd like to see a bit more predictability ( In critical environments I opt for a static channel plan) : so no overlap and being able what to use as primary channel.
... View more
Jun 28 2023
12:21 PM
1 Kudo
9m is just above the recommended height for the 3-D antenna. It might work but you might experience some problems at the ground level. The 3-E is more suited for that. The antenna portfolio is still the same. Must say after doing a few Cisco jobs again, Meraki has a better antenna portfolio than Cisco.... (more choice). A chat or call is no problem.
... View more
Jun 26 2023
2:45 AM
Be sure spanning-tree is working properly between the MS390 and the HP Procurve switch. A wrong config might block traffic in VLANs between the switches (MS390 runs MST (i believe) and the Procurve can run this as well (default spanning-tree is disabled on a procurve).
... View more
Apr 19 2023
5:33 AM
2 Kudos
Found this thread after PRTG discovered a SNTP service on a MX. I've tried to configure a MX as a NTP-server on a Catalyst switch..... and it works !
... View more
Nov 22 2022
11:41 PM
Thank you. We've reinstated the ASA for Anyconnect and we're going to look for a suitable solution.
... View more
Nov 8 2022
4:45 AM
1 Kudo
Hello, we have a few customers who require users to use a VPN client to access to other local VLANs also when they are at the office or workplace (so not at a remote site). Normally these users only have access to a few local resources and the Internet but with an established VPN connection they have access to more resources/VLANs. Question: Does the MX support Client VPN and/or AnyConnections from LAN-clients? It seems it does not support it with AnyConnect. If so we need to keep the old ASA up and running. With kind regards, Marcel Tempelman.
... View more
Jul 13 2022
12:29 AM
I have tried setting the power manually but even then the dashboard keeps telling me the max output power is lower than expected. I haven't done any measurement tests to see if the measured output power increases when setting it manually higher. If so the dashboard is not reporting it right but considering the explanation that this is "working as designed" I doubt there will be any difference between the dashboard and the actual output power of the AP.
... View more
Jun 21 2022
5:20 AM
I'm trying to wrap my head around this how we should consider this in a design: Let's say I design a VoWLAN network with every AP (MR46) at 14 dBm EIRP (@ 5Ghz). This means I set the AP in the dashboard at 8dBm (as far as I know that's always the AP output power without the antenna) and with the antenna gain I end up at 14dBm EIRP. Does the beam forming gain only add up when I allow more output power than 14 dBm?This could result in sticky clients. When beam forming kicks in does the output power of the AP go back to 2 dBm to compensate the 6 dBm gain to keep the max at 14 dBm? I'd like to hear Meraki explaining this because if the behavior is unclear you can end up with pretty wonky designs.
... View more
Jun 20 2022
4:58 AM
Just checking my case notes : my test on channel 100 (20mhz) saw the output power max out at 13dBm. The 3F gain is almost 11 dBm so 13+11=24 dBm which is 6 dBm below the regulatory 30 dBm. This makes sense if beamforming takes 6 dBm... (why isn't this in the datasheet ?).
... View more
Jun 20 2022
4:21 AM
1 Kudo
I have a customer with MR46E with MA-ANT-3F antennas and it's impossible to get the output power above 6dBm on UNII-1 and UNII-2e (max EIRP 17dBm instead of the expected max 23 dBm). It allows 12 dBm on UNII-2e channels. On 2.4Ghz 3 dBm is the max output power. Support could not give me an answer (like above) why the settings are lower than the MR42E (MR42Es do not have these limitations or uses the 3dBm margin, they are 3x3:3). All in all the dashboard is a bit confusing when it comes to output power and EIRP values. Edit : customer is in ETSI region also.
... View more
May 24 2022
11:42 PM
1 Kudo
I often use MA-ANT-3-E6 antennes to cover ground areas if the ceiling is above 8m (in designs). Below that I'd advise you to use a downtilt omni antenna. Main advantage of the 3-E is that you get a smaller coverage cell than with an omni so if roaming is required this will give you a more predictable wireless environment. This is a MR42E with a 3-E antennes at approx 11m in a warehouse. 3-F antennes are used for getting the signal between the racks (also mounted at 11m) and standard APs at the docks (mounted at 3m).
... View more
May 10 2022
8:24 AM
The Meraki example which I posted was during a MS Teams call from my iPhone 8 (started at 15:16 and took 6 minutes). The call was quite good (some glitches). The experience with the Gigaset smartphone was quite horrible but that's because it's crap hardware (sticking to APs up to -90+ dBm.......). But that aside when I look at the iPhone roaming the number do not make any sense to me. When I look at your example it seems to make sense.
... View more
May 10 2022
7:03 AM
Yesterday I did some testing with a Android smartphone from Gigaset. These phones are horrible when it comes to roaming. So I made a round with my iPhone 8. If I look at the timeline from a wireless troubleshooting perspective then this is a useless tool. The reporting is not consistent (sometimes the time to connect is missing) and the reported time values are nowhere near what you want to see when checking requirements. For example if you check Voice over WLAN requirements you want to see if the device roams within 150ms. Do not know who developed this but this is developed without any knowledge about wireless troubleshooting. This is useful information (Cisco Wireless Debug Analyzer):
... View more
May 9 2022
2:21 AM
Thanks for the update! This afternoon I'll be going on site and will try to collect some data about roaming (there are issues with a Gigaset android devices) with different devices and see if it corresponds with what the dashboard is telling me.
... View more
May 9 2022
2:11 AM
Any news on ths topic ? I still see 'time to connect' values between 2000-4500ms when roaming. Which is quite bad considering this is on a Voice SSID.I think I'll open a case as well.
... View more
Mar 10 2022
2:32 AM
Hello all, We're troubleshooting some roaming issues at a customer site and the timeline shows this: What does the Time to Connect indicate? If that's the time needed to roam then it's ridiculously high and way too high for VoWLAN roaming. I cannot imagine this is the roaming time (everything above 150ms should be marked red) because even for data a 4 second roam is way too slow . This is a SSID with WPA2/PSK encryption and layer 2 roaming so there's no external influence on the roaming speed. I'm accustomed to sub 10ms roaming in Cisco Enterprise with a PSK or 802.1X with .11r enabled. Can someone clarify that number ? With kind regards, Marcel Tempelman.
... View more
Oct 23 2020
12:35 AM
The story continues: Have tested it with a MR33 and it fails to work with Microsoft NPS. I've also tried FreeRadius and that works. During the tests I made come captures: This is FreeRadius capture (the only interesting part is the Access-Accept reply from the RADIUS server): This is the NPS reply: Assuming Meraki ignores the other attributes, one thing is different in the Tunnel-Password attribute; NPS is not adding a Tag field in the reply. From the RFC Tag
The Tag field is one octet in length and is intended to provide a
means of grouping attributes in the same packet which refer to the
same tunnel. Valid values for this field are 0x01 through 0x1F,
inclusive. If the value of the Tag field is greater than 0x00 and
less than or equal to 0x1F, it SHOULD be interpreted as indicating
which tunnel (of several alternatives) this attribute pertains;
otherwise, the Tag field SHOULD be ignored. Don't know if this is the case but this might be the reason it is not working.
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 4 | 6924 | |
| 3 | 20756 | |
| 2 | 1344 | |
| 2 | 18615 | |
| 1 | 9363 |
© 2025 Cisco Systems, Inc.
