Meraki

ITSDigital · ‎Aug 21 2025

We run tens of them, and no lockups. Our 75's are running newer firmware (19.1/19.2), but never saw it on the older 18.x train.

cmr · ‎Aug 20 2025

Indeed, but it was always listed as 'other' on the dashboard. I'm not sure the firmware bot knows how to deal with that...

jimmyt234 · ‎Aug 19 2025

Solved: Re: Welcome to your AI Assistant - The Meraki Community

Holli69 · ‎Aug 18 2025

I thing the table settings are new

Bobcheese2 · ‎Aug 18 2025

Ok adding to this, seems like when someone is connected to the AnyConnect the customer loses connection to the far end of the S2S VPN locally. AnyConnect user doesn't seem to lose connectivity to the S2S VPN at all just local LAN (Wi-Fi) users. Can see lots of logs of DNS failure on the Wi-Fi during that time, DNS server is at the far end of the S2S VPN. Anyone seen anything like this before?

jimmyt234 · ‎Aug 18 2025

I agree that the labelling/messaging is poor on this one. If you see the Firmware Upgrades feed a couple weeks ago it was released as stable: https://community.meraki.com/t5/Firmware-Upgrades-Feed/A-new-stable-appliance-firmware-is-now-available-on-Thu-31-Jul/ba-p/279413

Dunky · ‎Aug 15 2025

haha yeah, I found it just before you replied 🙂 Thanks.

Bobcheese2 · ‎Aug 13 2025

Hey, did you test this at all? Was researching VRF's (as I saw it in the org) and was wondering if anyone had tried to implement yet of if any docs had been released

rhbirkelund · ‎Aug 11 2025

How are you assigning the 1.1.1.0/29 pool? Is it something that you have picked yourself? 1.1.1.1 is a public-ly routed subnet, so I would very much avoid using that on the WAN interfaces of the MX. Considering also that when Meraki Devices go offline and loose their Uplink Connectivity, they tend to be arp'ing a 1.1.1.1 address. If you do not have a public routed subnet assigned that you can use, try to stick to RFC1918 addresses.

rhbirkelund · ‎Aug 10 2025

Sos did I. 🙁 Saving Meraki socks as an investment, was not exactly on my bingo card. But good to know!

Volodymyr · ‎Aug 9 2025

So why then organize a contest and write that your closet is bursting with gifts and everyone who leaves a comment will receive them. But how is it really? Half of them received them? How many did not receive them? I'm waiting 3 weeks instead of 3 days to read that you didn't calculate.?((

GIdenJoe · ‎Aug 8 2025

Two days ago Cisco released the 17.18.1 IOS-XE release so it's only a matter of time before we get the version in dashboard 😉

PhilipDAth · ‎Aug 6 2025

Try splitting the problem in two. Place a port on the switch manually into VLAN20 (access port). Plug in your notebook, does it work? Attach your own notebook to the SSID, does it work?

jimmyt234 · ‎Aug 6 2025

Thank our AI overlords 😉🤖

manilovefrogs · ‎Aug 5 2025

Is this a supported use case from Meraki? Other NVAs go deep into use cases that cover this sort of thing, but east/west VNET routing to the VMX as a gateway is glanced over in all Meraki documentation, while they simultaneously advertise it as being a simple way to manage your cloud environment.

GIdenJoe · ‎Aug 5 2025

Darren made an excellent point with the amount of tunnels since if both are running in NAT mode and each side has 2 ISP's you can take your site count and quadruple that number to know your tunnel count. However maximum sessions is indeed another issue to tackle with. It must be that you have too many hosts each making small concurrent sessions. In that case if you want to keep the SD-WAN design you may need to change up to one-armed concentrators instead and group branches each to their own preferred concentrator.

alemabrahao · ‎Aug 4 2025

Good luck 🤞

CalebD · ‎Aug 1 2025

It seems to be working now. Thank you!

jimmyt234 · ‎Aug 1 2025

You could try changing your WAN failover behaviour from Graceful to Immediate and re-test. Connection Monitoring for WAN Failover - Cisco Meraki Documentation

BlakeRichardson · ‎Jul 31 2025

If you have added the info from Help > Firewall info then I would contact support.

jimmyt234 · ‎Jul 25 2025

Update from support: Being that our AI Assistant feature is still in the test phase, we are still working on some of the configuration aspect and working out some of the bugs on the backend. I have brought this issue to the attention of our senior management team to take a look at on the backend. In the meantime, can you try adding the following subnet ranges to your login IP configuration? • 64.62.142.12/32 • 158.115.128.0/19 • 209.206.48.0/20 • 216.157.128.0/20

GIdenJoe · ‎Jul 24 2025

On the pc you can temporarily fudge with the subnetmask but please on the MX do use the 255.255.255.254 mask to configure the uplink. This works fine in recent releases.

cmr · ‎Jul 23 2025

I tried again and the switch port disconnects when the cable test is run... But at least the MR56 reconnected at 5Gbps this time!

JamesHammy · ‎Jul 21 2025

Final update and we have resolved the situation. This has been a right pain to fix but we got there in the end. Several things we went through: We tested that the traffic did indeed move between the site-to-site tunnel and WAN connections when adding exclusions. Packet capture verified this. We have a static IP provision in our Secure Connect environment but this only applies to traffic destined for services on ports 80/443 traffic. Outbound traffic to services running on any other ports will originate from Cisco's massive pool of dynamic IPs. This is a ridiculous oversight/limitation of the static IP provision cost. Meraki/Cisco should take note! The traffic for this troublesome app contacts an initial site for auth and license checking using HTTPS but then contacts the database instance on port 40,000-ish. This meant the traffic would originate from different source IPs, as per point 1. At this point, we considered that maybe the app's cloud server may be using session/IP-pinning of some kind and the disparity was causing the issue. The cloud service has some kind of load-balancers in front of the auth site, which changes the destination IP every few minutes. At this point we almost threw in the towel as the IP differences were at the third octet so excluding them would have been all but impossible without inadvertently excluding massive chunks of the internet. We couldn't perform DNS-based local internet breakout exclusions because we do not use the MX to proxy DNS requests. We use DNS This is how we fixed the issue on the client VPN but was impossible here. I managed to get the DNS-based exclusions working for a single laptop by altering a test VLAN to provide DHCP with 'upstream proxied DNS'. This worked immediately but is impractical due to the fact that the Meraki MX device uses the primary WAN port's DNS server to resolve, which in our case is Google's DNS. This means we lost local DNS resolution for the domain, which is a show-stopper. I don't know whether MX WAN interfaces would allow an internal DNS server (domain controllers) to be configured so didn't attempt. At this point we figured we'd give the Umbrella admin interface a deeper look in conjunction with the fantastic dbgview.exe from sysinternals. Once we established all the DNS names the app was contacting, we looked at the historic IPs associated with the DNS/URL entries, within Umbrella, and could see that although the IPs rotated quickly, there were only actually about 5 of them per service (about 17 total) and they'd been consistent for the last two years. We added all of the IPs to the tunnel exclusion and it finally worked. It's not ideal adding so many IPs to the list but given the massive change that would be involved with reconfiguring our internal DHCP scopes to use the MX for proxying resolution to our domain controllers, we'll be leaving it as-is. What a faff. Honestly, I'm not sure the Secure Connect solution is really worth it, given the limitation around static IP addressing and the extra complexity of internet breakout. Couple that to the complication of using the Umbrella agent on the local laptops, it makes DNS a much bigger pain to administer. Anyhow, all sorted.

BlakeRichardson · ‎Jul 20 2025

Congrats everyone and well done @DanD

About jimmyt234

jimmyt234

Community Record

Badges