About rbnielsen

rbnielsen

From what I see, it should be possible by creating a Device Profile, and pushing it to the device. But I would probably try reaching out to Meraki Support, rather then Cisco TAC.

rbnielsen · ‎01-24-2021

I honestly can't remember what the option 242 was for. It was about 3-4 years since I installed it. But I think it's Avaya IP Office.

rbnielsen · ‎01-24-2021

Are the switchports connecting the the IP phones and PCs configured ála this? Also, you'll need to set DHCP relay on the interface on the switch. Make sure the interface IP address isn't in use some where else. I see in your screenshot that you use .1 addres for the interface. You'll also need to ensure you have connectivity to the server. This means that VLAN218 is allowed on trunk links further upstream. Also, regarding DHCP options, make sure it is someting along the lines of; That is, Type is text. In principle, you should be able to put a Laptop on VLAN 218, and if you get an IP address you should be able to Ping the PBX, assuming there isn't any ACLs in place. If you are not getting an address, but you get one by creating an identical VLAN 219, you'll need to examine the path of communicaitons. Maybe 218 isn't allowed on the trunk? Edit: Perhaps you could try to connect a PC to a normal access port in vlan 218, and perform er packet dump from wireshark, to determine if you get the correct DHCP options?

rbnielsen · ‎01-24-2021

I can't comment for MRs because, well, I haven't tried that scenario yet. But imagine Z1 teleworkers. The Z1 is not supported on MX15.x but you can schedule an upgrade to MX15.x. What will happen is that the Z1 will "upgrade" to MX15, but since there is not support for it, the Z1 will stay on the latest MX14.x software that supports it, but still report as upgraded to MX15.x. I imagine that the same applies to MRs.

rbnielsen · ‎01-24-2021

What VLAN does the IP phones get an IP address from? Have you verified that the corrent VLAN is set on the port connecting to the IP phones - either as Access VLAN or Voice VLAN? What happens if you configure an access port in the Voice VLAN, and connect a PC? Does it get the expected IP lease? If the DHCP server is on a separate network, you might need to configure an IP helper/DHCP relay.

rbnielsen · ‎01-14-2021

Perhaps its a hidden Jimi Hendrix mode? Jokes aside, I haven't seen this on any of the cameras I have access to. But it sounds like a hardware malfunction. I'd just reach out to Support and request a quick t-shoot and then RMA the units.

rbnielsen · ‎12-27-2020

This occurs when you do requests against an organisation that doesn't have API access enabled? Does this happen in a predefined routine in the meraki sdk, or a routine you have created yourself? Is the organisation, which returns a 404, returned when you do HTTP GET /organizations ?

rbnielsen · ‎12-12-2020

So, I dug a bit deeper into this, and had the opportunity to have a conference call both with Meraki Support, as well as Microsoft Azure Support. It seems that the main reason why I couldn't get ClientVPN to work was because ports 500 and 4500 were being blocked. I was not able to open those ports by applying an NSG, due to a vendor policy from Meraki on the vMX RG. Also, it seems that the Public IP SKU being deployed from the managed app, was randomly being chosen as a "Standard" IP SKU, which apparently has some default port blocked. If the deployed IP SKU is "Basic" ClientVPN will work. The only way around this, is a redeployment of the vMX.. I'll probably add some more on this, after I've done some more testing, and sharing these results with Meraki Support.

rbnielsen · ‎12-05-2020

Microsoft keeps claiming that Meraki needs to remove the Vendor policy, on the Meraki App, inorder to create the NSG, so VPN traffic from my client, can reach the vMX. Meraki keeps claiming that Mircrosoft needs to do this, and it is noting to do with the vMX policy.

rbnielsen · ‎12-05-2020

I am right now in the middle of a ping pong between Meraki Support and Microsoft Support, regarding who needs to do something, inorder to open ports udp/500 and udp/4500 and forward it to my vMX, so that I can get ClientVPN to work..

rbnielsen · ‎12-03-2020

No worries. The vMX i Azure has really been a steep learning curve for me. Working on my first deployments, and I have already run in to different odd behaviours.

rbnielsen · ‎12-02-2020

Meraki Support seems to confirm that it is merely a cosmetic issue. They have other customers reporting the same, while the actual traffic passing through is higher than 10Mb.

rbnielsen · ‎12-02-2020

I have deployed a vMX-M in Azure aswell, and I see the exact same thing. I am also wondering if it's a cosmetic thing, or what. But since I have a cut-over deadline for a migration on sunday, I've opened a ticket with Support..

rbnielsen · ‎11-22-2020

There really isn't any other place I can define the network security groups. There's there Resource Group shown above with the VM, Nic, Public IP and Disk, and then there is an RG with the Managed App, VNet and a Routetable.Finally, there is a NetworkWatcherRG in which I can't really do any changes. The 'mrg-cisco-meraki-vmx-XX' is the one that gets created when deploying the Meraki Managed App in Azure, and it seems to be Read Only, so I can't really modify its settings.

rbnielsen · ‎11-22-2020

Not much. Now.. This is a test setup, on a "Free Trial Version". Could it be that I'm not being allowed the full feature set?

rbnielsen · ‎11-22-2020

I can't find any NSGs. This is the only place I have, where I can choose Network Security Groups.

rbnielsen · ‎11-22-2020

Hm.. Do I need to create a Firewall in Azure, in the same resource group as the vMX? My vMX cam online and connected to the Dashboard without a Firewall in the first place.

rbnielsen · ‎11-22-2020

The only place I could choose Network Security Group, as under the Nic, of the Ressource Group, was a created after the managed app. And in the NSG, there are no rules, whatsoever.

rbnielsen · ‎11-22-2020

Do you know where I can edit does Firewall rules? Because I can't see them anywhere. 😕

rbnielsen · ‎11-20-2020

I've also done a traceroute from my own mac. It seems that it ends somewhere in Microsoft Azure rbnielsen@The-Gibson ~ % traceroute 52.146.154.95 traceroute to 52.146.154.95 (52.146.154.95), 64 hops max, 52 byte packets 1 192.168.2.1 (192.168.2.1) 4.767 ms 2.304 ms 2.222 ms 2 192.168.1.1 (192.168.1.1) 3.875 ms 2.720 ms 3.169 ms 3 lo0-0.vsk2nqe30.dk.ip.tdc.net (2.106.92.193) 8.201 ms 8.336 ms 8.652 ms 4 ae2-0.fhnqe11.dk.ip.tdc.net (83.88.16.207) 9.542 ms 8.354 ms 9.115 ms 5 ae1-0.alb2nqp8.dk.ip.tdc.net (83.88.19.119) 22.806 ms 16.014 ms * 6 104.44.37.83 (104.44.37.83) 18.571 ms 16.465 ms 25.737 ms 7 ae24-0.ear01.ham30.ntwk.msn.net (104.44.24.21) 21.265 ms 21.480 ms 22.874 ms 8 be-21-0.ibr02.ham30.ntwk.msn.net (104.44.21.17) 44.815 ms be-20-0.ibr01.ham30.ntwk.msn.net (104.44.21.14) 45.915 ms be-21-0.ibr02.ham30.ntwk.msn.net (104.44.21.17) 44.947 ms 9 be-4-0.ibr06.ams06.ntwk.msn.net (104.44.16.131) 45.002 ms 45.383 ms 44.945 ms 10 be-6-0.ibr02.ams21.ntwk.msn.net (104.44.18.190) 45.524 ms 46.605 ms 45.491 ms 11 be-9-0.ibr02.dub08.ntwk.msn.net (104.44.19.214) 45.360 ms be-11-0.ibr02.lon24.ntwk.msn.net (104.44.16.2) 45.643 ms be-9-0.ibr01.lon24.ntwk.msn.net (104.44.18.144) 174.930 ms 12 ae122-0.icr02.dub08.ntwk.msn.net (104.44.11.82) 45.882 ms be-8-0.ibr02.dub08.ntwk.msn.net (104.44.17.90) 45.684 ms ae122-0.icr02.dub08.ntwk.msn.net (104.44.11.82) 45.110 ms 13 ae120-0.icr01.dub08.ntwk.msn.net (104.44.11.86) 59.649 ms * * 14 * * * ^C

rbnielsen · ‎11-19-2020

So I'm having som issues with enabling Client VPN on a vMX. I have enabled Client VPN on the vMX, like I've done many time before, double checked users and shared secret but I just can not seem to get the ClientVPN connected. My vMx is deployed and online and all green. However, I'm not able to ping the Public IP, but then again I'm not sure if I'm supposed to be able to ping a Public IP in Azure. I'm testing from my own Mac, and it seems like it can't reach my vMX or the Public IP, which I find odd. I've tried from Home WiFi and Mobile Hotspot. Log from my Mac: standard 08:26:41.543802+0100 racoon plogsetfile: about to add racoon log file: /var/log/racoon.log standard 08:26:41.548326+0100 racoon accepted connection on vpn control socket. standard 08:26:41.548367+0100 racoon received bind command on vpn control socket. standard 08:26:41.549439+0100 racoon New Phase 2 standard 08:26:41.549691+0100 racoon state changed to: IKEv1 quick I start standard 08:26:41.551206+0100 racoon Connecting. standard 08:26:41.551662+0100 racoon IPsec-SA request for 52.146.154.95 queued due to no Phase 1 found. standard 08:26:41.551690+0100 racoon New Phase 1 standard 08:26:41.551717+0100 racoon state changed to: IKEv1 ident I start standard 08:26:41.552022+0100 racoon initiate new phase 1 negotiation: 192.168.1.53[500]<=>52.146.154.95[500] standard 08:26:41.552161+0100 racoon begin Identity Protection mode. standard 08:26:41.552201+0100 racoon IPSec Phase 1 started (Initiated by me). standard 08:26:41.554889+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000 standard 08:26:41.554918+0100 racoon state changed to: IKEv1 ident I msg1 sent standard 08:26:41.554953+0100 racoon IKE Packet: transmit success. (Initiator, Main-Mode message 1). standard 08:26:41.554996+0100 racoon >>>>> phase change status = Phase 1 started by us standard 08:26:42.551901+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:43.651998+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:44.750392+0100 racoon IKE Packet: transmit success. (Phase 1 Retransmit). standard 08:26:44.750534+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000 standard 08:26:44.750612+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:45.849827+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:46.949911+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:47.826864+0100 racoon IKE Packet: transmit success. (Phase 1 Retransmit). standard 08:26:47.826919+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000 standard 08:26:48.049956+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:49.149791+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:50.249824+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:51.116931+0100 racoon IKE Packet: transmit success. (Phase 1 Retransmit). standard 08:26:51.116967+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000 standard 08:26:51.349793+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:51.561520+0100 racoon vpn_control socket closed by peer. standard 08:26:51.561544+0100 racoon received disconnect all command. standard 08:26:51.561578+0100 racoon IPSec disconnecting from server 52.146.154.95 standard 08:26:51.561608+0100 racoon in ike_session_purgephXbydstaddrwop... purging Phase 2 structures standard 08:26:51.561635+0100 racoon Phase 2 sa expired 192.168.1.53-52.146.154.95 standard 08:26:51.561657+0100 racoon state changed to: Phase 2 expired standard 08:26:51.561697+0100 racoon in ike_session_purgephXbydstaddrwop... purging Phase 1 and related Phase 2 structures standard 08:26:51.562447+0100 racoon IPsec-SA needs to be purged: ESP 192.168.1.53[0]->52.146.154.95[0] spi=1224736768(0x49000000) standard 08:26:51.562503+0100 racoon ISAKMP-SA expired 192.168.1.53[500]-52.146.154.95[500] spi:f465dd260cf2a981:0000000000000000 standard 08:26:51.562527+0100 racoon state changed to: Phase 1 expired standard 08:26:51.562550+0100 racoon no ph1bind replacement found. NULL ph1. standard 08:26:51.563059+0100 racoon vpncontrol_close_comm. From what I see is that the vMX is not even responding. This is also evident from tha fact that there a nothing the the Event Log, about Client VPN establishement. So I think(!) that there is a route missing from the Azure and into my MX, but I have no idea what that should be. My vMX can easily ping out. I can even ping my own public ip address at home. I have created a Route Table, which only contains 1 route, the ClientVPN subnet pointing to the IP address of the vMX I also have a VNet with the subnet of the vMX and ClientVPN, although I'm not certain this should be neccessary yet. Not untill I need to access services in Azure. Both the Vnet and RouteTable are in the same Ressource Group as the vMX Managed App. I did not allow the vMX Managed App to create VNets and Subnets. I did that on my own as well. I've tried setting the ClientVPN on my Mac to both Full Tunnel, and Split Tunne, to no avail. Looking at the NIC for the vMX VM, there are no NSGs applied, so that should be OK. Any ideas on what I'm doing wrong?

rbnielsen · ‎11-10-2020

What exactly do you mean, when you say you want to configure the wan port as trunk? The Internet port supports VLAN tagging, in such that you can assign a vlan to the interface, that is handling WAN traffic, and thus connect the MX to a trunk port. This can be set either via Remote Status page on the MX, or Security & SD-WAN -> Appliance Status -> Uplink, and hit the Edit button next to the WAN interface. You should see a VLAN field, where you can input the VLAN number. But you cannot have the MX, to grab a WAN IP from say vlan 10, and let vlan 20 passthrough the MX Internet port, for upstream LAN access. In such case, you'll have to short VLAN 20 around to a LAN port on the MX, with another physical cable.

rbnielsen · ‎11-04-2020

Seems legit. xD

rbnielsen · ‎11-03-2020

Honestly I'm more interested in the question regarding failover times. 😉 The Meraki Documentation is unclear on the point, and I have yet to meet someone with a convincing argument.

rbnielsen · ‎10-25-2020

Site formatting is also a bit weird, so You might want to run by all the pages. https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Profiles_and_Settings/Removing_Profiles_and_Apps_from_Managed_Devices#Permanent_Removal Viewing from Firefox 81.0.2 on MacOS Catalina 10.15.7,btw.

rbnielsen

Community Record

Badges