Meraki

Community

About CiscoInstaller

Re: Issues connecting Meraki Client VPN

by in Security & SD-WAN
‎Dec 12 2019 7:40 AM
1 Kudo
‎Dec 12 2019 7:40 AM
1 Kudo
Thank you for both of those suggestions, they were very helpful.   Weirdly re-entering the pre-shared key on the Meraki side seemed to all the devices to connect.   This had been copy pasted to all of the configured machines in the same way but some were connecting and some were not. Re-pasting the same into the Meraki (even though it looked the same anyway using Show Secret) allowed all of the devices to connect without issue.   I guess there must have been some weird space or character translation or something in the saved PSK on the Meraki.   Thanks again for those suggestions, they were useful from a general understanding point of view. ... View more

Issues connecting Meraki Client VPN

by in Security & SD-WAN
‎Dec 12 2019 7:15 AM
‎Dec 12 2019 7:15 AM
We have an MX100 that has the client VPN functionality enabled. This is using RADIUS authentication and is configured to communicate with a DC that has this role installed and configured.   I can successfully connect to this from my own laptop and some test machines that are not on the client domain, however machines on the client domain (and a coupe of others that are not) cannot connect at all.   I am trying to connect with identical credentials on all machines and the same internet connection and some machines will connect and others will not. the clients that do not connect get an entry for Error 789 in Event Viewer. The error from the VPN connection is "The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"   We have checked that the "IKE and Auth..." service and the IPSEC Processing Policy service are running.   The logs on the Meraki show the following: Dec 12 15:04:36   Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 59c9b9d31a1ca7fc:e7241141149e770f Dec 12 15:03:49   Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 6a8f5861211ce0a4:0192fd20f7d239be Dec 12 15:03:46   Non-Meraki / Client VPN negotiation msg: invalid DH group 19. Dec 12 15:03:46   Non-Meraki / Client VPN negotiation msg: invalid DH group 20. Dec 12 15:03:46   Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY Dec 12 15:02:59   Non-Meraki / Client VPN negotiation msg: invalid DH group 19. Dec 12 15:02:59   Non-Meraki / Client VPN negotiation msg: invalid DH group 20. Dec 12 15:02:58   Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY Dec 12 15:01:05   Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 5c8c3fed81ed0dfa:344388c60cc91c1e Dec 12 15:00:54   Non-Meraki / Client VPN negotiation msg: unknown Informational exchange received. Dec 12 15:00:54   Non-Meraki / Client VPN negotiation msg: ISAKMP-SA deleted x.x.x.x[500]-x.x.x.x[500] spi:8019f7f3eac784dc:79e6de84ffa397eb Dec 12 15:00:54   Non-Meraki / Client VPN negotiation msg: ISAKMP-SA expired x.x.x.x[500]-x.x.x.x[500] spi:8019f7f3eac784dc:79e6de84ffa397eb Dec 12 15:00:18   Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. d3619ad0e8a97674:070ff11a8655461d Dec 12 15:00:15   Non-Meraki / Client VPN negotiation msg: invalid DH group 19. Dec 12 15:00:15   Non-Meraki / Client VPN negotiation msg: invalid DH group 20. Dec 12 15:00:15   Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY Dec 12 14:59:28   Non-Meraki / Client VPN negotiation msg: invalid DH group 19. Dec 12 14:59:28   Non-Meraki / Client VPN negotiation msg: invalid DH group 20. Dec 12 14:59:28   Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY ... View more

Re: Weird routing issue\question

by in Security & SD-WAN
‎Nov 27 2019 7:08 AM
‎Nov 27 2019 7:08 AM
Apologies for omitting that info - yes it is a MX100 in use.   We have this configured pretty much as suggested: Meraki has its own direct internet connection. Draytek has its own direct internet connection. LAN 2 on the Draytek is configured with an IP address on the old LAN (172.31.109.0/22) LAN 3 on the Draytek is configured with an IP address on the new LAN (192.168.48.0/22) There is a static route configured on the MX100 for the wireless subnet (192.168.65.0/24) to direct traffic to the LAN 3 IP address on the Draytek. There is a static route configured on the router for the old LAN for the wireless subnet (192.168.65.0/24) to direct traffic to the LAN 2 IP address on the Draytek. The MX100 is configured to communicate directly to the old LAN subnet through a VLAN added to one of its LAN ports. With LAN 3 disconnected I can (obviously) no longer ping the Meraki subnet, but reliably ping all resources in the old LAN subnet. With both LAN 2 and LAN 3 connected to the Draytek I can successfully ping servers in the new Meraki LAN, but not servers in the old LAN. Weirdly, with both LAN 2 and LAN 3 connected to the Draytek, I can intermittently ping servers if I am running a constant ping from the server in question to the Draytek, but without the constant ping cannot get ping responses. Also, slightly weirdly - I can ping the main router in the old LAN location with both LAN 2 and LAN 3 connected, even when I cannot ping the servers in this subnet. I'm guessing this is routing related to the way the Cisco MX100 is setup but am unsure as to what I am missing. ... View more

Weird routing issue\question

by in Security & SD-WAN
‎Nov 27 2019 2:26 AM
‎Nov 27 2019 2:26 AM
We are working on migrating an existing network setup to Meraki hardware and for the first stage need to make some of their existing config communicate with the new Meraki layout.   The existing setup consists of an internal LAN (utilising Cisco switching 172.31.109.0/24) and has a Draytek router installed in parallel that has an interface that is connected to the internal LAN and the WAN interface configured with a direct internet connection.   There is a wireless network inside the Draytek configuration (192.168.65.0/24) that provides DHCP to wireless clients and allows them to be segregated from the main internal LAN with firewall rules restricting access to just the servers on the internal LAN.   We have installed a Cisco Meraki network on a new IP range (192.168.48.0/22), which contains some new servers and plan to migrate some of the existing servers and service to this new LAN. Communication between the new Meraki LAN and the existing internal LAN is configured via a VLAN with routes in place to allow servers and clients on the old internal LAN to successfully communicate with servers on the new Cisco Meraki LAN.   We need to configure the Draytek such that clients on the wireless network (192.168.65.0/24) can access servers on both the old LAN (172.31.109/24) and the new Meraki LAN (192.168.48.0/22).   We attempted to do this by configuring another spare port on the Draytek with an IP address on the Meraki LAN and while this appears to allow communication between all LANs, caused an issue whereby intermittently the wireless clients could not access servers on either LAN (they were sometimes pingable, sometimes not). I believe that this behaviour suggests there was some form of network triangulation occuring.   Does anyone have any suggestions regarding the best way of configuring this communication, primarily on the Meraki side? Is it the case that there needs to be explicit VLAN configuration for the Draytek subnet on the Meraki infrastructure? Or static routes for this range to direct traffic for the Draytek subnet to the Draytek for the servers on the Meraki LAN?   Any suggestions appreciated!   ... View more

Re: Connecting to a separate network

by in Switching
‎Nov 7 2019 8:39 AM
1 Kudo
‎Nov 7 2019 8:39 AM
1 Kudo
I found what I was missing and got this configured as required - thank you for your help. ... View more

Re: Connecting to a separate network

by in Switching
‎Nov 7 2019 7:37 AM
‎Nov 7 2019 7:37 AM
Okay, so I have configured a VLAN for the network range on the old LAN (172.31.104.0/22) and set this as the default VLAN for port 4 on the MX100 (which is where I have connected the network cable to the other network).   Whereabouts do I need to add the static routes? Is it the static routes under the 'Security & SD-WAN | Addressing and VLAN' page on the Meraki configuration? And should I be entering the network that matches the VLAN, because when I do that i get an error 'Static lan route subnets cannot be contained by (or be equal to) a VLAN subnet'.    And I then need to add static routes to the servers in the old network range too?   Thanks in advance, sorry if i am missing something obvious! ... View more

Connecting to a separate network

by in Switching
‎Nov 7 2019 6:58 AM
‎Nov 7 2019 6:58 AM
I am installing a new Cisco Meraki solution for a client that is moving away from IT infrastructure (Cisco) provided by their old parent company.   We have configured an MX100 for internet access and provisioned a default VLAN for the new server and client infrastructure. Devices connected to the new Meraki firewall and switches can access the internet and other devices in the same subnet in the new environment as expected.   As part of the transition, we need to connect this new Cisco Meraki infrastructure to the old network to allow the transfer of domain services, data and other settings. The administrator for the older systems has provided us with an IP address and subnet mask in the range that the old servers reside in. I need to configure the new Meraki networking to allow servers on the new network to communicate with resources on the old network.   What is the best way to achieve this on either the Meraki MX100 or one of the Meraki MS225-48FP switches that constitute the new network? ... View more
© 2024 Cisco Systems, Inc.