Meraki

jimmyt234

You would need another MX to point the static route at, and have the NMVPN configured on that MX, as @rwiesmann was describing. If you use Secure Connect you can have a NMVPN tunnel terminate there and be shared by all spokes, but unless you're already in that ecosystem it would probably just be easier to get the 3rd party to create VPNs to every spoke network.

jimmyt234

VPN Full-Tunnel Exclusion (Application and IP/URL Based Local Internet Breakout) - Cisco Meraki Documentation You only need the SDWAN+ license to do major application VPN breakouts, you can still do custom expressions (IP/DNS) with the non-SDWAN+ license. The major applications list is fairly short anyway:

jimmyt234

There is nothing on the linked status page .. ? "All Systems Operational"

jimmyt234

We tend to use templates for LAN/WLAN but for SDWAN it just lacks the flexibility to be useful. If more overrides were available (load-balancing I am looking at you) and the full L7 NBAR list then we would be getting somewhere.

jimmyt234

Thanks @RWelch it is available on our shard now too, have just opted us in! We did try to ask support about early enablement / being on a shard that has it but that didn't go anywhere.

jimmyt234

Yes, this is now possible. Documentation: vMX NAT Mode Use Cases and FAQ - Cisco Meraki Documentation 2 useful threads: Configuring the Meraki vMX in Azure for Routed Mode with LAN/WAN Separation... - The Meraki Community Proof of Concept: Routed Mode vMX in Azure on MX 19.1 with Advanced Securit... - The Meraki Community

jimmyt234

What we have learnt over time is that you cannot trust the Meraki auto-updates to keep you updated and not have networks in "critical" status. You have to take ownership of the process (whether this be via API or manual).

jimmyt234

No - each device in the HA pair needs its own dedicated WAN IP. You can then optionally set up a VIP if you wanted too, from within the same subnet. As @KarstenI says - standard setup would be a /29 with 2 uplink ports from the ISP, this allows you to plug both your WANs into their equipment.

jimmyt234

Just to add some more weight to this, we have dozens out there in the wild and as far as I am aware none have experienced the reboot 'panic' issues that the MX75 has.

jimmyt234

This will partly come down to whether you are using Template networks or not, as when you chose what to upgrade (and presumably downgrade), all networks bound to a template are upgraded at the same time.

jimmyt234

Looking back through our ticket history we first starting running into this in November, so it has been a good few months already. ☹️

jimmyt234

Did you by chance make any amendments to the WAN port? We have run into this known issue quite a lot: Due to an issue under investigation, making certain configuration changes to WAN interfaces (such as disabling or enabling an interface) can cause the IDPS process to fail. This issue may also cause high device utilization. The issue can be worked around by rebooting the MX appliance or disabling and then re-enabling IDPS. (MX-34504)

jimmyt234

As well as this you need to test using actual end user devices, and not ping the MX itself as it will often ignore firewall rules. (Unclear if .3 is a host of the MX itself)

jimmyt234

During a maintenance window you remove the 0/0 route via the NMVPN peer, this should let you then create your networks, after which you can put the 0/0 route back in.

jimmyt234

I've encountered this before and it has been due to a similar/bigger CIDR prefix being routed via a NMVPN peer.

jimmyt234 · ‎Feb 19 2025

We manage customers that range anywhere from 1 site to 100+ sites!

jimmyt234 · ‎Feb 19 2025

They would all be in Europe 😊

jimmyt234 · ‎Feb 19 2025

Just checked half a dozen different Orgs and none have it available yet under Early Access.

jimmyt234 · ‎Feb 19 2025

The unfortunate reality is that you need to manage your own firmware as letting Meraki automatically update, as you have experienced, doesn't happen half the time and you end up with networks in Critical status that have not been upgraded in years.

jimmyt234 · ‎Feb 17 2025

Another reason we stopped using templates 🙂

jimmyt234 · ‎Feb 17 2025

Or pay some $$$ for a reserved IP only on your instance: https://docs.umbrella.com/umbrella-user-guide/docs/reserved-ip (My assumption is that if the 3rd party is allow-listing by public IP then they make not be happy to add the entire Umbrella CIDR ranges...)

jimmyt234 · ‎Jan 31 2025

Fixed a rare issue that could result in VMX appliances going offline 11 months after first upgrading to an MX 19.1 release. Had to play the long game to find that one out 🤣

jimmyt234 · ‎Jan 28 2025

Packet Capture Overview Change: Added "IPSec VPN" description. This is huge - always missed not being able to packet capture on NMVPN tunnels!

jimmyt234 · ‎Jan 20 2025

Ah that will be the difference then. 99% of our deployments will have the public IP directly on the interface.

jimmyt234 · ‎Jan 20 2025

That's strange, I've just looked at a few different Orgs and for MX devices those 2 columns are all displaying the devices correct WAN 1 and WAN 2 IP.

About jimmyt234

jimmyt234

Community Record

Badges