Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About DBlum
Community Record
32
Posts
7
Kudos
0
Solutions
Badges
Aug 18 2023
9:17 AM
You can use MaxMind to determine location: https://www.maxmind.com/en/geoip-demo This is what Meraki uses, I did get confirmation that it will be corrected to USA on their next update cycle next Tuesday
... View more
So in talking with Meraki support it seems that subnet 17.250.96.0/22 is being associated to Taiwan for Apple and doing a correction with Maxmind to correct since they use them for geolocation. Weird thing they are still checking on is that whitelist is also being affected by Geolocation layer 7 rules.
... View more
Aug 16 2023
6:42 PM
Case is open, they have no idea right now and wanted to see if anyone else was having the same issue.
... View more
Aug 16 2023
6:38 PM
Various MX's (MX68, MX75, MX95)...no layer 7 firewall rule. I had read something about making sure icloud wasn't blocked but issue is happening at several locations where networks are both flat layer 2 and layer 3 networks. It is just iMessage send/receive video and pictures. Setup local is MX95 connected to MS125 and MR46 AP with client whitelisted.
... View more
Aug 16 2023
6:01 PM
We are getting reports from users in different organizations that iMessage is getting blocked when sending images or videos when connected to Meraki access points. This is even with the client being whitelisted as well as turning off AMP/Content Filtering/etc as well as when the SSID is either using corp lan or meraki guest. Users have no problems sending via Whatsapp the same images/videos.
... View more
Do you know what driver version you went with so we can do some testing? thank you
... View more
Has there been any update? We are still seeing issues and just put a new bldg up and of course half the clients are not working properly. Another weird issue we are experiencing with layer3 is that these devices are also getting apipa addresses and dhcp (going through switch) is not assigning proper ip's some oft the time.
... View more
We are going to try and problematic clients to 802.11n in settings of their devices for now.
... View more
I checked some other sites running 28.6 and seeing excess frame loss for some clients that are disassociating. I did a little more digging and it seems to mostly affect 802.11ax and 802.11ac clients and havent seen it affecting 802.11n clients
... View more
We are also seeing issues with this on MR44, MR46 in various deployments and running 29.4.1
... View more
Sep 26 2021
10:37 AM
I 100% percent agree with us, how can a company such a Cisco be reliant on an outside third-party to provide security updates to their infrastructure and how it allows outside traffic to pass through their hardware to companies that pay for a “Cisco” service. What were to happen if this third-party was attacked and they changed the routing tables such as a ransomware or C2 site to somewhere inside the United States that was not being blocked.
... View more
Sep 24 2021
12:02 PM
1 Kudo
Can you let us know who your geolocation vendor is and see if they have a lookup tool?
... View more
Sep 24 2021
11:09 AM
I think based on the size log it would create there is no way for meraki to have something in the portal.
... View more
Sep 24 2021
11:08 AM
1 Kudo
I am just curious how it only affects a small subset of customers as well? Every single one of my clients (100's of sites, tens of thousands of users) were affected if Hong Kong was being blocked. I would assume every single end user that had Hong Kong blocked would be affected by this and hopefully this issue will now expedite anything could help notify us. It would almost be impossible for a geolocation log to be created for the vast size it would be for every single site. Thank you
... View more
Aug 6 2021
12:22 PM
Appliance updated to 16.9 and now end users are getting certificate is not secure issues and only way to work is selecting allow untrusted servers which is not really viable. Tried rolling back to previous version and still getting the error. GA for MX95 is 16x and per all documentation on AnyConnect it will no longer be beta when 16x is GA so I don't really have any options that I know of. Any thoughts on what can be done to dix?
... View more
Labels:
- Labels:
-
Client VPN
Having a weird issue where clients connecting to the SSID will randomly be switched to an access point on the other side of the building with drops the service. SSID is on the same VLAN and is configured to bridge mode and has band steering on and both access points have less than 10 clients connecting to them. Any thoughts on what could be causing this? Thank you
... View more
Aug 5 2020
7:05 PM
We are transitioning a microtik router to an MX84 and was wondering the proper config for the following: Two WAN Ports Route all traffic from one vlan (guestwifi - 192.168.4.x) to uplink 2 Route all regular traffic (192.168.1.x) to uplink 1
... View more
Jun 9 2020
4:36 PM
1 Kudo
We have the whole subnet as part of the VPN...the other side ended up opening up their policy (juniper we found out) and it is communicating now. Thank you again for your help
... View more
Jun 9 2020
1:05 PM
Would you recommend just taking the NAT out of the equation (ie the provider said we can change the internal server ip to address on current subnet) to allow connectivity? Thank you
... View more
Jun 9 2020
8:04 AM
We are having an issue where we had to replace an ASA5505 and before there was a site to site vpn and now with the current MX64 the connection is not working. Here was the config from the ASA for the VPN: name 1.2.3.4 Diag description Diag VPN access-list outside_1_cryptomap extended permit ip host 10.0.20.45 Diag 255.255.255.248 access-list inside_nat_static extended permit ip host LocalServer Diag 255.255.255.248 static (inside,outside) 10.0.20.45 access-list inside_nat_static crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set peer 4.5.6.7 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 1 set security-association lifetime seconds 14400 crypto map outside_map 1 set security-association lifetime kilobytes 10000 crypto map outside_map interface outside crypto isakmp enable inside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 tunnel-group 4.5.6.7 type ipsec-l2l tunnel-group 4.5.6.7 ipsec-attributes pre-shared-key xxxxx peer-id-validate nocheck isakmp keepalive disable Current Meraki Connection is set to Public IP 4.5.6.7 Private Subnet 10.0.20.45/29 IP SEC Policy PH1 - 3DES / SHA1 / DH2 / Timeout 14400 PH2 - 3DES / SHA1 / PFS off / Timeout 14400 Event log shows Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1). Non-Meraki / Client VPN negotiation msg: failed to get sainfo. Non-Meraki / Client VPN negotiation msg: initiate new phase 2 negotiation: Local_PublicIP[500]<=>4.5.6.7[500] Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 4.5.6.7[500]->Local_PublicIP[500] spi=178891342(0xaa9acb0) Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1). Non-Meraki / Client VPN negotiation msg: failed to get sainfo. Non-Meraki / Client VPN negotiation msg: ISAKMP-SA established Local_PublicIP[500]-4.5.6.7[500] spi:5407379688442cfd:315d9f4a0c478522 Non-Meraki / Client VPN negotiation msg: initiate new phase 2 negotiation: Local_PublicIP[500]<=>4.5.6.7[500] VPN registry connectivity change vpn_type: site-to-site, connectivity: true Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1). Non-Meraki / Client VPN negotiation msg: failed to get sainfo. Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 4.5.6.7[500]->Local_PublicIP[500] spi=108337968(0x6751b30) Non-Meraki / Client VPN negotiation msg: pfkey DELETE failed: No such process Non-Meraki / Client VPN negotiation msg: ISAKMP-SA deleted Local_PublicIP[500]-4.5.6.7[500] spi:74f722074d7dc223:2e10212799bd830f Non-Meraki / Client VPN negotiation msg: purged ISAKMP-SA spi=74f722074d7dc223:2e10212799bd830f. Non-Meraki / Client VPN negotiation msg: purged IPsec-SA spi=0. Non-Meraki / Client VPN negotiation msg: Unknown IPsec-SA spi=0, hmmmm? Non-Meraki / Client VPN negotiation msg: purging ISAKMP-SA spi=74f722074d7dc223:2e10212799bd830f. Any thoughts? Thank you
... View more
May 22 2020
3:14 AM
So I think I found the issue but I cant explain it...I disabled the site to site vpn because there was a ton of UDP hits on it and as soon as I did that the speed is back to normal. The UDP hits is due to a testing apparatus at one office sending the data to the the main office. Is there any reason this high hit of UDP packets would cause this issue? Here is a sample of the packets (ip addresses have been modified): 1682 7.535586 wsip-70-122-54-105 wsip-70-122-54-115 UDP 1466 46115 → 44916 Len=1424 1683 7.535598 wsip-70-122-54-105 wsip-70-122-54-115 UDP 1466 46115 → 44916 Len=1424 1684 7.535624 wsip-70-122-54-105 wsip-70-122-54-115 UDP 1466 46115 → 44916 Len=1424 1685 7.536136 wsip-70-122-54-105 wsip-70-122-54-115 UDP 1466 46115 → 44916 Len=1424 1686 7.536139 wsip-70-122-54-105 wsip-70-122-54-115 UDP 1466 46115 → 44916 Len=1424 1687 7.536161 wsip-70-122-54-105 wsip-70-122-54-115 UDP 1466 46115 → 44916 Len=1424 1898 7.567805 wsip-98-127-52-205 wsip-70-122-54-105 UDP 130 44916 → 46115 Len=88 1899 7.567849 wsip-98-127-52-205 wsip-70-122-54-105 UDP 130 44916 → 46115 Len=88 1900 7.567898 wsip-98-127-52-205 wsip-70-122-54-105 UDP 130 44916 → 46115 Len=88 1901 7.568474 wsip-98-127-52-205 wsip-70-122-54-105 UDP 130 44916 → 46115 Len=88 1902 7.568530 wsip-98-127-52-205 wsip-70-122-54-105 UDP 130 44916 → 46115 Len=88
... View more
May 22 2020
2:41 AM
Yes, again it is the weirdest thing because the appliance at my home office is getting 200mb on dashboard and plugging in either third party router or laptop directly into cable modem at office gets the proper 100 down.
... View more
May 21 2020
7:29 PM
Wireshark will not allow me to obfuscate public ip's
... View more
May 21 2020
6:56 PM
Weird thing is I bring the device to my home office and use same cox broadbank and 200+ on throughput test
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 800 | |
| 2 | 34889 | |
| 1 | 29706 | |
| 1 | 30640 | |
| 1 | 2521 |
© 2024 Cisco Systems, Inc.
