cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About CiscoInstaller

VLAN connectivity issue

by in Security / SD-WAN
‎01-30-2020 04:18 AM
‎01-30-2020 04:18 AM
I have configured my MX100 on a new network for an installation where we are going to migrate from an existing network and configured a connection between the new and the old networks.   However, with the way this is currently configured, all network traffic from the old network is appearing on the new network. Ideally we need these to be kept separate, so all devices connected on the new network have the ability to speak to hosts on the old network, but broadcast traffic and general network comms from the old network are not present on the new one.   The current setup has VLANs enabled and subnets added for the old (172.31.104.0/22 VLAN 1) and the new network (192.168.92.0/22 VLAN 101) and the old network is configured with an MX IP of a free address in that range (172.31.104.10).    The routing of the old network directs all traffic to 192.168.92.0/22 to the MX IP configured on the old LAN.   Port 2 is connected directly to the Old LAN and configured with VLAN 1 on the per-port settings. Port 3 is connected directly to the switches for the new network with VLAN 101 on the per port settings.   This allows connection between servers in both the old and new networks but also undesired network broadcast traffic from the old network across the new switches (visible in the Meraki logging and when using WireShark connected to the new switches).   I think I am just missing something obvious with regards to locking down the VLANs available on the switch ports? Or is there anything else I should be considering?   Thanks in advance.   ... View more

Re: Issues connecting Meraki Client VPN

by in Security / SD-WAN
‎12-12-2019 07:40 AM
1 Kudo
‎12-12-2019 07:40 AM
1 Kudo
Thank you for both of those suggestions, they were very helpful.   Weirdly re-entering the pre-shared key on the Meraki side seemed to all the devices to connect.   This had been copy pasted to all of the configured machines in the same way but some were connecting and some were not. Re-pasting the same into the Meraki (even though it looked the same anyway using Show Secret) allowed all of the devices to connect without issue.   I guess there must have been some weird space or character translation or something in the saved PSK on the Meraki.   Thanks again for those suggestions, they were useful from a general understanding point of view. ... View more

Issues connecting Meraki Client VPN

by in Security / SD-WAN
‎12-12-2019 07:15 AM
‎12-12-2019 07:15 AM
We have an MX100 that has the client VPN functionality enabled. This is using RADIUS authentication and is configured to communicate with a DC that has this role installed and configured.   I can successfully connect to this from my own laptop and some test machines that are not on the client domain, however machines on the client domain (and a coupe of others that are not) cannot connect at all.   I am trying to connect with identical credentials on all machines and the same internet connection and some machines will connect and others will not. the clients that do not connect get an entry for Error 789 in Event Viewer. The error from the VPN connection is " The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"   We have checked that the "IKE and Auth..." service  and the IPSEC Processing Policy service are running.   The logs on the Meraki show the following: Dec 12 15:04:36   Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 59c9b9d31a1ca7fc:e7241141149e770f Dec 12 15:03:49   Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 6a8f5861211ce0a4:0192fd20f7d239be Dec 12 15:03:46   Non-Meraki / Client VPN negotiation msg: invalid DH group 19. Dec 12 15:03:46   Non-Meraki / Client VPN negotiation msg: invalid DH group 20. Dec 12 15:03:46   Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY Dec 12 15:02:59   Non-Meraki / Client VPN negotiation msg: invalid DH group 19. Dec 12 15:02:59   Non-Meraki / Client VPN negotiation msg: invalid DH group 20. Dec 12 15:02:58   Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY Dec 12 15:01:05   Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 5c8c3fed81ed0dfa:344388c60cc91c1e Dec 12 15:00:54   Non-Meraki / Client VPN negotiation msg: unknown Informational exchange received. Dec 12 15:00:54   Non-Meraki / Client VPN negotiation msg: ISAKMP-SA deleted x.x.x.x[500]-x.x.x.x[500] spi:8019f7f3eac784dc:79e6de84ffa397eb Dec 12 15:00:54   Non-Meraki / Client VPN negotiation msg: ISAKMP-SA expired x.x.x.x[500]-x.x.x.x[500] spi:8019f7f3eac784dc:79e6de84ffa397eb Dec 12 15:00:18   Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. d3619ad0e8a97674:070ff11a8655461d Dec 12 15:00:15   Non-Meraki / Client VPN negotiation msg: invalid DH group 19. Dec 12 15:00:15   Non-Meraki / Client VPN negotiation msg: invalid DH group 20. Dec 12 15:00:15   Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY Dec 12 14:59:28   Non-Meraki / Client VPN negotiation msg: invalid DH group 19. Dec 12 14:59:28   Non-Meraki / Client VPN negotiation msg: invalid DH group 20. Dec 12 14:59:28   Non-Meraki / Client VPN negotiation msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY ... View more

Re: Weird routing issue\question

by in Security / SD-WAN
‎11-27-2019 07:08 AM
‎11-27-2019 07:08 AM
Apologies for omitting that info - yes it is a MX100 in use.   We have this configured pretty much as suggested: Meraki has its own direct internet connection. Draytek has its own direct internet connection. LAN 2 on the Draytek is configured with an IP address on the old LAN (172.31.109.0/22) LAN 3 on the Draytek is configured with an IP address on the new LAN (1 92.168.48.0/22 ) There is a static route configured on the MX100 for the wireless subnet (192.168.65.0/24) to direct traffic to the LAN 3 IP address on the Draytek. There is a static route configured on the router for the old LAN for the wireless subnet (192.168.65.0/24) to direct traffic to the LAN 2 IP address on the Draytek. The MX100 is configured to communicate directly to the old LAN subnet through a VLAN added to one of its LAN ports. With LAN 3 disconnected I can (obviously) no longer ping the Meraki subnet, but reliably ping all resources in the old LAN subnet. With both LAN 2 and LAN 3 connected to the Draytek I can successfully ping servers in the new Meraki LAN, but not servers in the old LAN. Weirdly, with both LAN 2 and LAN 3 connected to the Draytek, I can intermittently ping servers if I am running a constant ping from the server in question to the Draytek, but without the constant ping cannot get ping responses. Also, slightly weirdly - I can ping the main router in the old LAN location with both LAN 2 and LAN 3 connected, even when I cannot ping the servers in this subnet. I'm guessing this is routing related to the way the Cisco MX100 is setup but am unsure as to what I am missing. ... View more

Weird routing issue\question

by in Security / SD-WAN
‎11-27-2019 02:26 AM
‎11-27-2019 02:26 AM
We are working on migrating an existing network setup to Meraki hardware and for the first stage need to make some of their existing config communicate with the new Meraki layout.   The existing setup consists of an internal LAN (utilising Cisco switching 172.31.109.0/24) and has a Draytek router installed in parallel that has an interface that is connected to the internal LAN and the WAN interface configured with a direct internet connection.   There is a wireless network inside the Draytek configuration (192.168.65.0/24) that provides DHCP to wireless clients and allows them to be segregated from the main internal LAN with firewall rules restricting access to just the servers on the internal LAN.   We have installed a Cisco Meraki network on a new IP range (192.168.48.0/22), which contains some new servers and plan to migrate some of the existing servers and service to this new LAN. Communication between the new Meraki LAN and the existing internal LAN is configured via a VLAN with routes in place to allow servers and clients on the old internal LAN to successfully communicate with servers on the new Cisco Meraki LAN.   We need to configure the Draytek such that clients on the wireless network (192.168.65.0/24) can access servers on both the old LAN (172.31.109/24) and the new Meraki LAN (192.168.48.0/22).   We attempted to do this by configuring another spare port on the Draytek with an IP address on the Meraki LAN and while this appears to allow communication between all LANs, caused an issue whereby intermittently the wireless clients could not access servers on either LAN (they were sometimes pingable, sometimes not). I believe that this behaviour suggests there was some form of network triangulation occuring.   Does anyone have any suggestions regarding the best way of configuring this communication, primarily on the Meraki side? Is it the case that there needs to be explicit VLAN configuration for the Draytek subnet on the Meraki infrastructure? Or static routes for this range to direct traffic for the Draytek subnet to the Draytek for the servers on the Meraki LAN?   Any suggestions appreciated!   ... View more

Re: Connecting to a separate network

by in Switching
‎11-07-2019 08:39 AM
1 Kudo
‎11-07-2019 08:39 AM
1 Kudo
I found what I was missing and got this configured as required - thank you for your help. ... View more

Re: Connecting to a separate network

by in Switching
‎11-07-2019 07:37 AM
‎11-07-2019 07:37 AM
Okay, so I have configured a VLAN for the network range on the old LAN (172.31.104.0/22) and set this as the default VLAN for port 4 on the MX100 (which is where I have connected the network cable to the other network).   Whereabouts do I need to add the static routes? Is it the static routes under the 'Security & SD-WAN | Addressing and VLAN' page on the Meraki configuration? And should I be entering the network that matches the VLAN, because when I do that i get an error ' Static lan route subnets cannot be contained by (or be equal to) a VLAN subnet'.    And I then need to add static routes to the servers in the old network range too?   Thanks in advance , sorry if i am missing something obvious! ... View more

Connecting to a separate network

by in Switching
‎11-07-2019 06:58 AM
‎11-07-2019 06:58 AM
I am installing a new Cisco Meraki solution for a client that is moving away from IT infrastructure (Cisco) provided by their old parent company.   We have configured an MX100 for internet access and provisioned a default VLAN for the new server and client infrastructure. Devices connected to the new Meraki firewall and switches can access the internet and other devices in the same subnet in the new environment as expected.   As part of the transition, we need to connect this new Cisco Meraki infrastructure to the old network to allow the transfer of domain services, data and other settings. The administrator for the older systems has provided us with an IP address and subnet mask in the range that the old servers reside in. I need to configure the new Meraki networking to allow servers on the new network to communicate with resources on the old network.   What is the best way to achieve this on either the Meraki MX100 or one of the Meraki  MS225-48FP switches that constitute  the new network? ... View more
© 2023 Meraki