Community Record
15
Posts
1
Kudos
1
Solution
Badges
May 16 2024
5:32 PM
Z3 stand alone network being used for a club has been experiencing a number of IP Conflict alarms by seemingly one device ... the MAC within the Client list suggests this is some kind of android device ... the logs suggest it is requesting DHCP services to assign its IP Address ... The issue is it is using addresses already assigned/in use ... fairly certain Meraki would NOT issue an address that it has already assigned. Added a blocking policy to this device but it keeps moving to another in use IP ... used arp -a to try and track this device but every time I ping this device it disappears from the arp list are there any network/wifi tools that could help track this device down?
... View more
Labels:
- Labels:
-
Administrators
May 6 2024
3:37 PM
Looking for some ideas on how to mitigate recent alarms without turning off the Alarm Monitor ... thanks in advance for any insight you can provide. Recently have started getting a wack of IP Conflict Alarms from 3 independent Meraki Z3 routers ... logs indicate these devices are requesting DHCP services ... highly doubt the Z3 would provide an IP that is already assigned ... while an Online Reverse MAC Lookup is returning an unknown Manufacturer, the Z3 client listing identifies these problematic devices as Android. Attempts to block one MAC using the Policy Editor appear to be failing as this one device keeps showing up in the alarm logs bouncing around between several existing IP Assignments Reading some Android issues, suggest Paired Devices like a watch and Smart Phone have been known to use the same IP address (with different MAC's)? OR Devices are incorrectly using their last assigned IP address instead of requesting a fresh one?
... View more
Labels:
- Labels:
-
Administrators
May 2 2024
10:49 AM
Can anyone clarify how the Z3 client list might be generated ... at a high level, expecting there may be one of two methods OR a combination of both methods ... could be other methods ... just attempting to understand my finding listed below Method A) Router keeping track of all addresses communicating on the network OR Method B) Router doing something like an arp to discover what devices respond If only Method B, could explain the following ... due to not trusting the security of Cheap IOT devices, whenever possible, instead of configuring them with the true Gateway Address, the Gateway Address is either left blank or is the same as the Static Address assigned to the device. Comparing device configurations appears to indicate that only devices with the correct Gateway assignment are in the Z3 client list If this indication is true, is there a way in the Z3 to deny a device WAN access ... these devices need to function within the network but don't want them communicating externally ... Perhaps some kind of Outbound/Inbound Firewall rule? Deny all protocols to/from IP address x?
... View more
May 1 2024
10:13 AM
Cambium cnPilot is an AP with the gateway (gateway is the Z3) defined to provide DHCP service so don't think it is acting as a router ... as stated in my previous reply to you the Cambium traffic appears to be listed but perhaps the non explicit reserved settings on the Z3 were causing some of the client details to be ignored? As I have now explicitly defined all of the STATIC devices hopefully they will now show up in the Z3 client list
... View more
May 1 2024
10:03 AM
no apologies are required ... appreciate the feedback Of the 507 available addresses with a 23bit mask, the Z3 DHCP has been set to have 300 unreserved addresses, 207 reserved addresses with 17 of those static The client list is confusing because it claims there are currently 144 clients ... my confusion might be because I was expecting this list to show active clients ... instead, it is showing clients that have connected within the current filtered time; (Day, Week, Month) ... what led me to open the original question was I expected that ALL 17 of the STATIC "Active Devices" would be found in the Client List (9 of which are connected via the Cambium AP) On closer inspection today I missed 2 that were within this 144 listed clients over the past 24 hrs. Which leads to more questions As 8 of these 9 devices are IP cameras which are being actively polled every 5 minutes, why aren't they all showing up in the Client List ... if 2 are showing, why not all? What I have done today is EXPLICITLY add ALL 17 of these Static Address Devices as FIXED IP ... perhaps the Z3 was ignoring these devices as they were in the Reserved IP Block and most were NOT added to the FIXED IP ASSIGNMENT list
... View more
Apr 30 2024
1:44 PM
Not using the Meraki Z3 Wifi due to its physical location ... instead, we have 2 APs connected: one centered inside a 2 story building (Dlink), the other outside (Cambium) ... if I go to the Meraki dashboard, I can see a list of wired and wifi connections from the Z3 and inside AP but it appears none of the clients connected to the outside AP are listed ... the outside AP is set to use the Meraki DHCP to assign IP's to either 2.4G or 5G devices ... the Z3 netmask is set to 255.255.254.0 providing up to 500 connections ... although I can get a client list from the Cambium Dashboard, would like to be able to confirm this on the Z3 Dashboard ... is there some Z3 setting that might prevent getting the client info from the Cambium? Several clients are using STATIC addressing that conflicts with existing assignments ... I have temporarily blocked these devices with an included splash screen
... View more
Labels:
- Labels:
-
Administrators
Jan 23 2022
2:37 AM
Thanks I will reboot all network devices when I go to site next week and see if that resolves the issue
... View more
Jan 23 2022
2:23 AM
ok so I have applied a group policy with Layer 3 of deny 192.0.0.0/8 and Layer 7 deny p2p ... YET ... I can still ping any of the 192.168.210.0 or 192.168.209.0 devices ... am I doing something wrong or am I misunderstanding the guest example given by: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Creating_and_Applying_Group_Policies
... View more
Jan 23 2022
12:26 AM
Z1 set with 192.168.210.0/24 for the LAN and 192.168.209.0/24 for the VPN All Permanent clients have been assigned Static IPs to allow remote port forwarding and remote support. Trying to isolate one PC on the INTRANET (LAN CLIENT) from seeing or interacting with any of the other Devices inside the 192.168.209-210 INTRANET Currently using an AC1200 WiFi Router (Model R6120) with a static IP on the WAN (192.168.210.65) ... the PC plugged into the Netgear LAN basically has its own domain of 192.168.1.0-254 ... BUT ... it can still connect to any of the upstream IP's in the 209-210 network ... is there some way to restrict this IP access to the 209-210 network? I tried to put the AC1200 in front of the Z1 and use the AC1200's DMZ feature but the Z1 features specifically the VPN failed to work in this configuration ... AC1200 by default, has VPN pass-thru enabled ... the Z1 VPN failed with DMZ on AND off.
... View more
Jul 3 2020
7:00 PM
1 Kudo
Please Disregard my previous posting ... tried another machine which had exactly the same results with W10 Pro 64b Turns out in this case the 691 error was CORRECT ... there may be an issue with the Meraki Dashboard used from the latest Firefox browser ... I explicitly CHANGED the PW for the VPN User to something simple as a temporary test ... this temporary password apparently wasn't accepted by the dashboard ... don't recollect seeing any error message when I pressed the change button so will take a closer look at this as a possible issue Anyway I have now put back the original PW and reset all users ... all working now
... View more
Jul 3 2020
4:37 PM
Not certain what is going on with my attempts to connect to a Meraki Z device using VPN Client in WX Home (brand new out of the Box HP Laptop): 2 Laptops side by side (same local network and appliances); L1=W7 Home Premium L2=WX Home L1 connects to the Meraki Z VPN with no issues Disconnect L1 and attempt to connect L2 with IDENTICAL credentials but the connection is denied L2 reports the following VPN error Can't connect to <name of VPN> VPN The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server The L2 application events log shows a 691 error also suggesting the credentials don't match The MZ log indicates the following common negotiation messages - received broken Microsoft ID: MS NT5 ISAKMPOAKLEY - invalid DH group 20. - invalid DH group 19. while L1 connects with the following negotiation message - VPN client connected <local ip> both display the following negotiation messages - ISAKMP-SA established <MZ ip address> - IPsec-SA established: ESP/Transport <connection details> - IPsec-SA established: ESP/Transport <more connection details> L2 does not connect and has a number of additional negotiation errors - purged IPsec-SA proto_id=ESP - ISAKMP-SA expired <MZ ip address> - ISAKMP-SA deleted <MZ ip address> - no configuration found for <local internet ip address> - failed to begin ipsec sa negotiation. I have followed the: - Meraki troubleshooting guide - Meraki W10 VPN Client instructions Being I can connect via another machine with the same credentials with the only notable difference being the W10 Home 64b OS (All updates have been applied), I can only assume there is some issue within the W10 machine All the 'Solutions' found on the net or in this forum thus far have NOT produced a solution
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 1895 | Jan 23 2022 2:37 AM |
