Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About MarcAEC
Community Record
63
Posts
33
Kudos
1
Solution
Badges
2 weeks ago
I asked support to have engineering grep the source code for "192.16.0" to find out under what conditions the MX will fall into serving the IP range, but they won't do it. They're asking me to put the MX into the error state (e.g. take it offline for an extended period) and then get logs. I don't have physical access to be able to do that. And that shouldn't be a requirement to grep the source code anyway.
... View more
a month ago
That's interesting. The service provider resolved the issue, but we found the MX still couldn't connect to the cloud controller. So, we did factory reset it and it came back online with the correct configuration.
... View more
a month ago
I did. Support's response was to state that the MX will not reset by itself. But that's what it has been doing.
... View more
a month ago
What a technician has been doing each day is taking the MX to a location that has internet and then allowing it to download the configuration. Then we brings it back to the site without connectivity and we confirm it is issuing the correct IP addresses. So, it's not a case of power being required in order to sustain the storage.
... View more
a month ago
I have a site that is experiencing a long term outage. The users keep reporting loss of access to the network drives that are hosted on a server at the site. When we looked into things, we found the Meraki MX had stopped issuing the correct IP addresses via DHCP and started issuing the default 192.16.0.x IP addresses (which no longer match the static IP the server is using). And when I went to the local status page, the password was back to the default (device serial number) and the static WAN configuration had been erased. It appeared as if the MX had factory reset. At first I suspected a power disruption could have caused this. I've seen cases when multiple power disruptions in quick succession did something like this. But it has been happening every day now (3 times so far) and there haven't been any symptoms of a power problem. Is the MX programmed to go back to defaults when it is unable to connect to the cloud controller for an extended period?
... View more
12-16-2022
05:12 AM
If the higher security threshold is newer and the older firmware only provided the equivalent of the now lower security threshold, then it would be a reasonable ask. However, if that is the case, then they should redo the sizing guide in both scenarios to be transparent about it.
... View more
12-15-2022
08:52 AM
What does Device Utilization in Organization > Summary show for the network? I was able to counter support trying to explain an issue away with "over utilization" by showing utilization was actually fine. In this case, a firmware bug might cause high device utilization. But if the graph doesn't show it, you can use it as a counter argument. In my case, they were counting total clients, which was higher than recommended, but half of the devices were IP phones that sit around doing nothing most of the day.
... View more
11-29-2022
06:33 PM
I have 16.x on a MX100 and several MX67s (and 17.x on one MX67), and haven't noticed any problems. They do have advanced security and IDS is enabled. But most of the uplinks are less than 300 Mbps. Does the problem only manifest with faster uplinks?
... View more
11-28-2022
07:55 PM
Have the 17.x performance issues been resolved in this version?
... View more
11-28-2022
07:52 PM
17.10.2 has been moved to Stable status? Have the performance issues been resolved?
... View more
11-14-2022
12:35 PM
3 Kudos
In your Layer 7 Firewall Rules make sure the following is not present: Deny # Peer-to-peer # All peer-to-peer Deny # Peer-to-peer # Encrypted P2P I've also had to remove: Deny # Peer-to-peer # Encrypted P2P # eDonkey Deny # Peer-to-peer # Encrypted P2P # eDonkey Static Deny # Peer-to-peer # Encrypted P2P # Encrypted eMule (dDonkey & Kademlia)
... View more
10-18-2022
01:27 PM
When I originally set up the Layer 7 rules, I thought it would apply to internet traffic only, not traffic between clients and servers within the local network. Has it always been like this, or is application to internal traffic something new-ish? IMO, this makes the lack of the ability to add layer 7 allow rules even worse.
... View more
09-29-2022
03:49 PM
1 Kudo
Had Encrypted P2P / Statistical Peer-To-Peer start blocking WMI traffic between severs today. At least we know now to check the Meraki event and security logs first when when things start randomly failing,
... View more
09-20-2022
08:10 AM
The latest Meraki eDonkey attack was blocking DNS forwards from spoke DNS servers to the hub DNS servers. I had turned off eDonkey on the spoke templates, but hadn't changed the hub settings. Now it's off at the hub as well. Interestingly, the templates have 5 L7 Peer-to-peer options. A non-template MX has 29 options. I wonder if the sites attached to the template have more than eDonkey disabled since I can't select the "All peer-to-peer (P2P)" option for them.
... View more
09-14-2022
02:46 PM
I ended up taking out the eDonkey layer 7 rule (so now down to 4). I doubt that eDonkey is in use much these days, but not being able to contact the email server is a big deal.
... View more
09-14-2022
09:54 AM
The devices are on 16.16.5. And there are 5 separate P2P layer 7 rules (BitTorrent, DC++, eDonkey, Gnutella, Kazaa), instead of a single "All peer to peer" rule due to the MX NBAR blocking Statistical Peer-to-peer traffic incident.
... View more
09-14-2022
09:03 AM
The IT Help Desk received a report that multiple users at a site were unable to connect to an internal email server. Upon investigating the event log, we found the MX decided to start blocking random traffic as NBAR ID 67, classification eDonkey based on the layer 7 rule to block eDonkey P2P traffic. This appeared to ramp up Friday and continue through this week. In addition to email traffic, I see it blocking DNS queries. Why would the MX think email and DNS traffic is P2P eDonkey traffic? eDonkey is so old, it's quite possible 100% of the blocked traffic was false positives.
... View more
08-18-2022
02:13 PM
To me, it can't be stable if a known issue is the increased risk of instability. That's a known issue of beta software.
... View more
08-18-2022
02:04 PM
1 Kudo
Is this a "stable" release or not? It can't be stable and have a known issue of "...an increased risk of encountering device stability and performance issues on all platforms and across all configurations."
... View more
08-10-2022
11:33 AM
2 Kudos
It's really disappointing that Meraki didn't push out a fix when the details of this first emerged. Instead, each customer whose email was nonfunctional was left to figure out the problem and manually add a threat protection override. What's the point of something being in the cloud if the vendor can't act fast when there is an obvious and serious problem? The irony is that the vulnerability allows someone to conduct a denial of service attack, and the result of Meraki protecting from it is a denial of service.
... View more
05-20-2022
10:39 AM
2 Kudos
Let's not forget that this problem is really an example of a deeper problem. The Merkai development team likes to design functionality that has broad effects without including a way for customers to implement exceptions. The NBAR problem would be much smaller if there was a way to create ALLOW rules for confirmed mis-identifications. Instead, it's an all or nothing choice. This is the same problem with the geographic filtering. Need to access one specific site in Russia? Guess what --you need to allow all inbound and outbound traffic from the entire country.
... View more
04-28-2022
05:06 AM
2 Kudos
The list of "Current Modems" that are "...are still actively being manufactured, distributed, and sold..." is now officially empty.
... View more
04-07-2022
03:52 PM
4 Kudos
Alex, if you have access to the product team, could you find out why they are so resistant to updating L7 to support exceptions. This has been a big problem with geo-filtering for years. When MaxMind decides 8.8.8.8 is in Iran, we can't put in a rule that exempts 8.8.8.8 from geo-filtering. Instead, we have to allow all traffic from Iran!
... View more
03-28-2022
11:07 AM
1 Kudo
No, but if the software vendor's fix makes a material change to the functionality, that should be documented in release notes. The most likely fix that support is implementing is to cause "statistical P2P" to be excluded when "All P2P" is selected. If that's what they're doing, they should disclose that versus saying "don't worry, trust us".
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 5532 | 09-25-2020 03:15 PM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 4 | 8503 | |
| 3 | 1926 | |
| 3 | 11753 | |
| 3 | 16886 | |
| 2 | 9731 |
