Meraki

DensyoV · ‎Mar 4 2021

Hi, yes, that is the error you get when you add multiple destination subnets separated by commas. You will need to create a separate rule for each destination.

DensyoV · ‎Mar 3 2021

Hi, Are you getting any errors when saving the config? Please note that the FW page in the group policy doesn't allow you to enter multiple destinations subnets in one rule unlike on the main FW configuration page where you can.

DensyoV · ‎Mar 3 2021

Hi, The MX is definitely dropping all inbound traffic by default unless you configure 1:1 NAT, 1:Many NAT or port forwarding. However, it doesn't really have any control of the incoming traffic, it is up to your service provider if they can block certain traffic from reaching your MX.

DensyoV · ‎Mar 1 2021

Hi just to add if you still see those logs, you can take a packet capture on the Internet interface of your MX to see which IP is it coming from, using the Wireshark application, use the filter udp.port==500

DensyoV · ‎Mar 1 2021

Hi It depends on your routing configuration what destination subnets are reachable over the MPLS. It only supports static routing and source-based or policy-based routing is not supported so you cannot define what traffic or type of traffic can pass only over the MPLS link.

DensyoV · ‎Mar 1 2021

Hi, The connectivity between the MS and the ISR, can you make it an access port on VLAN 10? The alert detects the MAC address is sending using VLAN 30 IP 10.10.10.1 but from MX's perspective, this should be VLAN 10 network. Thanks,

DensyoV · ‎Mar 1 2021

Hi, You cannot use the MPLS link as a WAN connection if it doesn't have connectivity to the Internet at all as it relies on the Meraki cloud connectivity for the management traffic and SD-WAN basically requires the link to be connected to the WAN interface. You can integrate the MPLS however using the LAN port of the MX but it will not achieve your requirements: https://documentation.meraki.com/MX/Networks_and_Routing/Integrating_an_MPLS_Connection_on_the_MX_LAN

DensyoV · ‎Jan 6 2021

Hi Alex, If the clients' connection is bouncing between APs although they are stationary, then you may need to tune the transmit power of your APs to ensure they have sufficient signal to avoid these unintended roaming and yes if the client roams from one AP to another before completing the authentication process, the AP will fail to receive to the client's reply and therefore logged it as authentication failure.

DensyoV · ‎Jan 5 2021

hi Alex, kindly ensure your APs are running on the latest stable version. there was an issue before in the 26 and earlier 27 version wherein the wireless health is showing false positive authentication failures.

DensyoV · ‎Jan 4 2021

hi, there is no option to change the speed/duplex setting of the AP port. it auto-negotiates at 1 Gig.

DensyoV · ‎Jul 30 2020

Hi, A quick packet captures on the cellular interface of the MX and the WAN interface of the hub should reveal whether the devices are sending UDP packets to build the auto-VPN. A successful connection should show bidirectional or two-way UDP traffic between the peers. If you see unidirectional traffic only on either or both peers, then the traffic is being dropped or filtered upstream. Service providers use CGNAT (carrier-grade NAT) in cellular deployments which is known to cause issues with auto-VPN connection due to how this is implemented.

DensyoV · ‎Jun 9 2020

Hi, Yes, whichever is running as the primary. Thanks,

DensyoV · ‎Jun 7 2020

Hi, I suggest verifying the connectivity to the Syslogs servers and they are reachable from the MX and then take packet capture from the MX to see whether it is actually sending traffic to the servers or not. Also, if the Syslog servers are over the VPN, make sure there is no site-to-site VPN firewall rule blocking the traffic. https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration#Additional_Considerations Thanks,

DensyoV · ‎Apr 22 2020

Hi, Are you only having the issue when using that Mac device? Also, have you tried connecting from different sources? The client VPN uses IPsec protocol so UDP ports 500 and 4500 are used and should NOT involve other ports. You can also take a packet capture on The MX's Internet interface during the failure so you can see what is going on with the UDP traffic. Thanks,

DensyoV · ‎Apr 20 2020

Hi, I ran through the API docs (help > API docs page on the Dashboard) there is still no API call available to update the DHCP configuration of the switches so you will need to update the configuration individually on each of the networks you have. Thanks,

DensyoV · ‎Apr 19 2020

Hi, At the moment, there is no API call available to get the information required. You can find all the supported API calls on the help > API docs page of your Dashboard. If it is not listed there then it is still not supported. Thanks,

DensyoV · ‎Mar 4 2020

Hi, If you are only concern about the email alerts, then perhaps you can just temporarily disable it instead of turning off the VPN. The problem with turning off the VPN, if you are just using auto for the NAT traversal, its UDP port may change once you re-enable the VPN again and if there is a FW upstream, it may drop the packet if it sees a different UDP port or if it unable to clear the previous UDP flow. hope this helps.

DensyoV · ‎Feb 25 2020

HI, Please see my answers below: 1. Can I add additional VPNs from separate SSIDs to the same MX84? Yes, it is configured per SSID basis so you can add more SSIDs if you want to be tunneled to the same MX84 2. If I have a second MX84 in a second DC, can i achieve failover between the two? Yes but it requires manual failover. As you can see on the access control page, you can only select one concentrator at a time so you have to update the configuration to be pointed to the secondary MX. hope this helps.

DensyoV · ‎Feb 18 2020

Hi, The recommended or best practice is to have separate VLANs for transport and management, but your configuration should still work. Here is the link to the Meraki General MS Best Practices for layer 3 features. https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/Best_Practice_Design_-_MS_Switching/General_MS_Best_Practices#Layer_3_Features Thanks,

DensyoV · ‎Nov 24 2019

Hi, Based on your route table, if the destination IP matches the 192.168.X.0/24 network then the traffic should be routed to ASA. However, if it does not match and falls under the default route 0.0.0.0/0 then it will go to the Palo Alto because it has a higher priority than the default route over the WAN connection. If you suspect that the traffic is not routing over the IPsec even if it matches the 192.168.X.0/24 destination subnet, then you may need to call Meraki support so they can check whether this is the case or not. Hope this helps.

DensyoV · ‎Nov 24 2019

Hi, Thank you for your reply. Question 2, If a guest network is created and provided, is it possible to have the traffic communicate directly from the WAN of MX without communicating with Site1? - If the guest network is not advertised to the VPN on the site-to-site VPN configuration then it won't be able to communicate across the tunnel -- This question is a non-meraki VPN peer, not Meraki auto VPN. ans: advertising local LAN to VPN applies to both auto-VPN and non-Meraki VPN peer Question 3, If source IP and destination IP are specified in "SD-WAN & traffic shaping" Flow preferences> Internet traffic, will it take precedence over non-meraki VPN peers sett - No, the Meraki will only form a VPN to a non-Meraki VPN peer on the chosen primary uplink -- When the default route is directed to Site1 (non-meraki VPN peer) Can guest network clients communicate directly from the MX WAN? ans: there is no option to configure source-based from the Dashboard but please call the Meraki support if they can exclude the guest network from full-tunnel or using the default route via the VPN Thank you in advance.

DensyoV · ‎Nov 24 2019

Hi, Looking at the help > API docs on my Dashboard, there is a sample response shown for generating a snapshot and the time format (ISO 8601) is not considering the milliseconds so it appears to be rounded off. hope this helps.

DensyoV · ‎Nov 18 2019

Hi, Please find my answers below: Question 1, Does the configured “Non-Meraki VPN peers” work in order from the top? - No, it is based on the destination subnet whichever is more specific. You may verify it from the routing table of the MX. https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior Question 2, If a guest network is created and provided, is it possible to have the traffic communicate directly from the WAN of MX without communicating with Site1? - If the guest network is not advertised to the VPN on the site-to-site VPN configuration then it won't be able to communicate across the tunnel Question 3, If source IP and destination IP are specified in "SD-WAN & traffic shaping" Flow preferences> Internet traffic, will it take precedence over non-meraki VPN peers sett - No, the Meraki will only form a VPN to a non-Meraki VPN peer on the chosen primary uplink Hope this helps.

DensyoV · ‎Nov 13 2019

Hi, The routes learned from auto-VPN (Meraki to Meraki) cannot be advertised to a non-Meraki peer. You need to configure a separate IPsec tunnel pointed to site 2 if you would like that VLANs on that site to access the resources across the non-Meraki VPN peer. Hope this helps.

About DensyoV

DensyoV

Community Record

Badges