Meraki

rhbirkelund · ‎Dec 27 2020

This occurs when you do requests against an organisation that doesn't have API access enabled? Does this happen in a predefined routine in the meraki sdk, or a routine you have created yourself? Is the organisation, which returns a 404, returned when you do HTTP GET /organizations ?

rhbirkelund · ‎Dec 12 2020

So, I dug a bit deeper into this, and had the opportunity to have a conference call both with Meraki Support, as well as Microsoft Azure Support. It seems that the main reason why I couldn't get ClientVPN to work was because ports 500 and 4500 were being blocked. I was not able to open those ports by applying an NSG, due to a vendor policy from Meraki on the vMX RG. Also, it seems that the Public IP SKU being deployed from the managed app, was randomly being chosen as a "Standard" IP SKU, which apparently has some default port blocked. If the deployed IP SKU is "Basic" ClientVPN will work. The only way around this, is a redeployment of the vMX.. I'll probably add some more on this, after I've done some more testing, and sharing these results with Meraki Support.

rhbirkelund · ‎Dec 5 2020

Microsoft keeps claiming that Meraki needs to remove the Vendor policy, on the Meraki App, inorder to create the NSG, so VPN traffic from my client, can reach the vMX. Meraki keeps claiming that Mircrosoft needs to do this, and it is noting to do with the vMX policy.

rhbirkelund · ‎Dec 5 2020

I am right now in the middle of a ping pong between Meraki Support and Microsoft Support, regarding who needs to do something, inorder to open ports udp/500 and udp/4500 and forward it to my vMX, so that I can get ClientVPN to work..

rhbirkelund · ‎Dec 3 2020

No worries. The vMX i Azure has really been a steep learning curve for me. Working on my first deployments, and I have already run in to different odd behaviours.

rhbirkelund · ‎Dec 2 2020

Meraki Support seems to confirm that it is merely a cosmetic issue. They have other customers reporting the same, while the actual traffic passing through is higher than 10Mb.

rhbirkelund · ‎Dec 2 2020

I have deployed a vMX-M in Azure aswell, and I see the exact same thing. I am also wondering if it's a cosmetic thing, or what. But since I have a cut-over deadline for a migration on sunday, I've opened a ticket with Support..

rhbirkelund · ‎Nov 22 2020

There really isn't any other place I can define the network security groups. There's there Resource Group shown above with the VM, Nic, Public IP and Disk, and then there is an RG with the Managed App, VNet and a Routetable.Finally, there is a NetworkWatcherRG in which I can't really do any changes. The 'mrg-cisco-meraki-vmx-XX' is the one that gets created when deploying the Meraki Managed App in Azure, and it seems to be Read Only, so I can't really modify its settings.

rhbirkelund · ‎Nov 22 2020

Not much. Now.. This is a test setup, on a "Free Trial Version". Could it be that I'm not being allowed the full feature set?

rhbirkelund · ‎Nov 22 2020

I can't find any NSGs. This is the only place I have, where I can choose Network Security Groups.

rhbirkelund · ‎Nov 22 2020

Hm.. Do I need to create a Firewall in Azure, in the same resource group as the vMX? My vMX cam online and connected to the Dashboard without a Firewall in the first place.

rhbirkelund · ‎Nov 22 2020

The only place I could choose Network Security Group, as under the Nic, of the Ressource Group, was a created after the managed app. And in the NSG, there are no rules, whatsoever.

rhbirkelund · ‎Nov 22 2020

Do you know where I can edit does Firewall rules? Because I can't see them anywhere. 😕

rhbirkelund · ‎Nov 20 2020

I've also done a traceroute from my own mac. It seems that it ends somewhere in Microsoft Azure rbnielsen@The-Gibson ~ % traceroute 52.146.154.95 traceroute to 52.146.154.95 (52.146.154.95), 64 hops max, 52 byte packets 1 192.168.2.1 (192.168.2.1) 4.767 ms 2.304 ms 2.222 ms 2 192.168.1.1 (192.168.1.1) 3.875 ms 2.720 ms 3.169 ms 3 lo0-0.vsk2nqe30.dk.ip.tdc.net (2.106.92.193) 8.201 ms 8.336 ms 8.652 ms 4 ae2-0.fhnqe11.dk.ip.tdc.net (83.88.16.207) 9.542 ms 8.354 ms 9.115 ms 5 ae1-0.alb2nqp8.dk.ip.tdc.net (83.88.19.119) 22.806 ms 16.014 ms * 6 104.44.37.83 (104.44.37.83) 18.571 ms 16.465 ms 25.737 ms 7 ae24-0.ear01.ham30.ntwk.msn.net (104.44.24.21) 21.265 ms 21.480 ms 22.874 ms 8 be-21-0.ibr02.ham30.ntwk.msn.net (104.44.21.17) 44.815 ms be-20-0.ibr01.ham30.ntwk.msn.net (104.44.21.14) 45.915 ms be-21-0.ibr02.ham30.ntwk.msn.net (104.44.21.17) 44.947 ms 9 be-4-0.ibr06.ams06.ntwk.msn.net (104.44.16.131) 45.002 ms 45.383 ms 44.945 ms 10 be-6-0.ibr02.ams21.ntwk.msn.net (104.44.18.190) 45.524 ms 46.605 ms 45.491 ms 11 be-9-0.ibr02.dub08.ntwk.msn.net (104.44.19.214) 45.360 ms be-11-0.ibr02.lon24.ntwk.msn.net (104.44.16.2) 45.643 ms be-9-0.ibr01.lon24.ntwk.msn.net (104.44.18.144) 174.930 ms 12 ae122-0.icr02.dub08.ntwk.msn.net (104.44.11.82) 45.882 ms be-8-0.ibr02.dub08.ntwk.msn.net (104.44.17.90) 45.684 ms ae122-0.icr02.dub08.ntwk.msn.net (104.44.11.82) 45.110 ms 13 ae120-0.icr01.dub08.ntwk.msn.net (104.44.11.86) 59.649 ms * * 14 * * * ^C

rhbirkelund · ‎Nov 19 2020

So I'm having som issues with enabling Client VPN on a vMX. I have enabled Client VPN on the vMX, like I've done many time before, double checked users and shared secret but I just can not seem to get the ClientVPN connected. My vMx is deployed and online and all green. However, I'm not able to ping the Public IP, but then again I'm not sure if I'm supposed to be able to ping a Public IP in Azure. I'm testing from my own Mac, and it seems like it can't reach my vMX or the Public IP, which I find odd. I've tried from Home WiFi and Mobile Hotspot. Log from my Mac: standard 08:26:41.543802+0100 racoon plogsetfile: about to add racoon log file: /var/log/racoon.log standard 08:26:41.548326+0100 racoon accepted connection on vpn control socket. standard 08:26:41.548367+0100 racoon received bind command on vpn control socket. standard 08:26:41.549439+0100 racoon New Phase 2 standard 08:26:41.549691+0100 racoon state changed to: IKEv1 quick I start standard 08:26:41.551206+0100 racoon Connecting. standard 08:26:41.551662+0100 racoon IPsec-SA request for 52.146.154.95 queued due to no Phase 1 found. standard 08:26:41.551690+0100 racoon New Phase 1 standard 08:26:41.551717+0100 racoon state changed to: IKEv1 ident I start standard 08:26:41.552022+0100 racoon initiate new phase 1 negotiation: 192.168.1.53[500]<=>52.146.154.95[500] standard 08:26:41.552161+0100 racoon begin Identity Protection mode. standard 08:26:41.552201+0100 racoon IPSec Phase 1 started (Initiated by me). standard 08:26:41.554889+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000 standard 08:26:41.554918+0100 racoon state changed to: IKEv1 ident I msg1 sent standard 08:26:41.554953+0100 racoon IKE Packet: transmit success. (Initiator, Main-Mode message 1). standard 08:26:41.554996+0100 racoon >>>>> phase change status = Phase 1 started by us standard 08:26:42.551901+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:43.651998+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:44.750392+0100 racoon IKE Packet: transmit success. (Phase 1 Retransmit). standard 08:26:44.750534+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000 standard 08:26:44.750612+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:45.849827+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:46.949911+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:47.826864+0100 racoon IKE Packet: transmit success. (Phase 1 Retransmit). standard 08:26:47.826919+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000 standard 08:26:48.049956+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:49.149791+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:50.249824+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:51.116931+0100 racoon IKE Packet: transmit success. (Phase 1 Retransmit). standard 08:26:51.116967+0100 racoon Resend Phase 1 packet f465dd260cf2a981:0000000000000000 standard 08:26:51.349793+0100 racoon CHKPH1THERE: no established ph1 handler found standard 08:26:51.561520+0100 racoon vpn_control socket closed by peer. standard 08:26:51.561544+0100 racoon received disconnect all command. standard 08:26:51.561578+0100 racoon IPSec disconnecting from server 52.146.154.95 standard 08:26:51.561608+0100 racoon in ike_session_purgephXbydstaddrwop... purging Phase 2 structures standard 08:26:51.561635+0100 racoon Phase 2 sa expired 192.168.1.53-52.146.154.95 standard 08:26:51.561657+0100 racoon state changed to: Phase 2 expired standard 08:26:51.561697+0100 racoon in ike_session_purgephXbydstaddrwop... purging Phase 1 and related Phase 2 structures standard 08:26:51.562447+0100 racoon IPsec-SA needs to be purged: ESP 192.168.1.53[0]->52.146.154.95[0] spi=1224736768(0x49000000) standard 08:26:51.562503+0100 racoon ISAKMP-SA expired 192.168.1.53[500]-52.146.154.95[500] spi:f465dd260cf2a981:0000000000000000 standard 08:26:51.562527+0100 racoon state changed to: Phase 1 expired standard 08:26:51.562550+0100 racoon no ph1bind replacement found. NULL ph1. standard 08:26:51.563059+0100 racoon vpncontrol_close_comm. From what I see is that the vMX is not even responding. This is also evident from tha fact that there a nothing the the Event Log, about Client VPN establishement. So I think(!) that there is a route missing from the Azure and into my MX, but I have no idea what that should be. My vMX can easily ping out. I can even ping my own public ip address at home. I have created a Route Table, which only contains 1 route, the ClientVPN subnet pointing to the IP address of the vMX I also have a VNet with the subnet of the vMX and ClientVPN, although I'm not certain this should be neccessary yet. Not untill I need to access services in Azure. Both the Vnet and RouteTable are in the same Ressource Group as the vMX Managed App. I did not allow the vMX Managed App to create VNets and Subnets. I did that on my own as well. I've tried setting the ClientVPN on my Mac to both Full Tunnel, and Split Tunne, to no avail. Looking at the NIC for the vMX VM, there are no NSGs applied, so that should be OK. Any ideas on what I'm doing wrong?

rhbirkelund · ‎Nov 10 2020

What exactly do you mean, when you say you want to configure the wan port as trunk? The Internet port supports VLAN tagging, in such that you can assign a vlan to the interface, that is handling WAN traffic, and thus connect the MX to a trunk port. This can be set either via Remote Status page on the MX, or Security & SD-WAN -> Appliance Status -> Uplink, and hit the Edit button next to the WAN interface. You should see a VLAN field, where you can input the VLAN number. But you cannot have the MX, to grab a WAN IP from say vlan 10, and let vlan 20 passthrough the MX Internet port, for upstream LAN access. In such case, you'll have to short VLAN 20 around to a LAN port on the MX, with another physical cable.

rhbirkelund · ‎Oct 12 2020

I have been looking into this myself, and from what I can find those vpn services use certificate based vpn, which is not supported on Meraki (from what I have found). If it’s a feature you would like to see, use the Make A Wish button, speak with your local Meraki Rep

rhbirkelund · ‎Oct 9 2020

Whether it's a CCNA or CCNP, I can't tell. I was half way through my CCNP Wireless when they shook the bag. I didn't expect that level of detail wht the questions, bu then again I wasn't surprised. It was all something I remember we touched during ECMS2. But I did feel that there was a special focus on Meraki Insights and Systems Manager. I remember some of the questions that I think was the reason I failed the exam. Some understandable, and some weren't. In general, I hate questions on what port some specific segment of a technology communicates on, and if it's TCP or UDP..

rhbirkelund · ‎Oct 8 2020

I did it yesterday, but unfortunately I was 47 points away. 😞

rhbirkelund · ‎Oct 4 2020

@CameronMoody ?

rhbirkelund · ‎Sep 29 2020

Velkommen til. 😉

rhbirkelund · ‎Sep 17 2020

I'll go out in a limb here and say; if there's a SNORT rule for that CVE, then it's handled by AMP.

rhbirkelund · ‎Sep 17 2020

It shouldn't be neccessary to have a switchport at both ends. Create an SVI on the MS390, assign a port as access to that VLAN, and connect the VoIP router to said access port. You should be able to ping between the VoIP router and SVI.

rhbirkelund · ‎Sep 17 2020

There are no such thing as routed ports in Meraki. You'll have to create a VLAN on the MS390, and assign IPs to that. It is not possible to assign IP addresses to ports on Meraki. The only "routed port" there is, is the WAN uplink on the MX Security Appliance.

rhbirkelund · ‎Sep 16 2020

Why is it impossible to assign an IP address to your MS390? Create a new VLAN on the MX100 for Meraki Management, and either assign the Meraki switch an IP statically, or use DHCP on the Meraki Management VLAN.

About rhbirkelund

rhbirkelund

Community Record

Badges