Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About Billy
Billy
Getting noticed
Member since Dec 28, 2017
Mar 22 2023
Community Record
34
Posts
4
Kudos
0
Solutions
Badges
Jan 25 2023
5:31 PM
In the logs, we would see something like: [0] 0000.0000::11/08/22-09:09:12.1725355 [kernel] bfe_event_c2507 BfeNetEventTrace() - Classify drop: ipProtocol=17; localAddrV4=010.008.157.171; remoteAddrV4=010.250.160.070; localPort=67; remotePort=67; appId=<NULL>; userId=\\\NULL SID; reauthReason=0; originalProfile=0; currentProfile=0; filterId=1373202; layerId=13
... View more
Nov 14 2022
9:09 PM
Update on this issue: The issue turned to be one of the DHCP servers. They were configured as Failover with 50-50 load balance, thus some meraki APs were able to get an IP while others weren't. There was a filter on the server's firewall that was affecting the DHCP process and the issue was resolved once removed.
... View more
Nov 1 2022
3:16 PM
Sorry for the confusion, those IPs on the example are from a different site. The one that I'm testing is on a /24
... View more
Oct 31 2022
10:37 PM
I have already reset those APs multiple times, same result. I'll try and see if I can get a packet capture during the power up of those APs.
... View more
Oct 31 2022
9:39 PM
- Yes, same switch/port tested with different APs. One works, one doesn't. - Plenty of IPs on the DHCP scope, I'm using a /24 and there are 5 APs up atm.
... View more
Oct 31 2022
9:02 PM
I've got several MR46 APs, for which I've configured trunk ports on Cisco switches similar to this: ! interface GigabitEthernet2/0/48 description Meraki AP 1 switchport trunk native vlan 555 switchport trunk allowed vlan 555,556,557 switchport mode trunk ! For the IP assignment I'm using a pair of Microsoft DHCP servers, while the SVI is configured as follows: interface Vlan555 description WiFi MGMT no shutdown no ip redirects ip address 192.168.117.28/27 no ipv6 redirects ip ospf passive-interface ip router ospf 1 area 0.0.0.0 hsrp version 2 hsrp 555 preempt priority 110 192.168.117.30 ip dhcp relay address 192.168.10.55 ip dhcp relay address 192.168.20.55 The issue that I have is that while most of the APs work without issues, pick up an IP address and connect to the dashboard, a few of them don't. The same APs that are not able to get an IP address from the Microsoft DHCP server, are able to pick one and connect to the dashboard, if the DHCP is set on the switches. The same issue occurs when using non-Cisco devices too as switches (same trunk config, DHCP relay configuration, some APs pick IPs, some don't) I tried reset and also tried after getting them upgraded (MR 28.7.1) Any ideas?
... View more
Labels:
- Labels:
-
Installation
Apr 18 2018
5:29 PM
@PhilipDAth wrote: Did you know you can specify a prefix instead of an individual IP address in NPS? For example, you can use 192.168.0.0/16 to represent a huge number of access points - with a single client entry. The certificate based authentication is tested and works, however I'd rather not go with a generic /16 definition as a source. Furthermore, there is an additional SSID that authenticates in NPS servers that I don't manage and pass through firewalls that I also don't manage (merged companies). From a security compliance perspective, there's no way that a /16 definition would be accepted.
... View more
Apr 17 2018
10:47 PM
I have a network consisting of a few sites connected through VPN (Hub/Spoke) with several access points and I want to provide certificate based authentication for a specific SSID through the NPS server. Having to configure several IPs as a source on the NPS server is quite time consuming, enabling the Meraki's RADIUS proxy and exposing the server to the internet is definitely not the best option and using a Wireless Concentrator and driving all of the wireless traffic to a single point would result in a non-optimal bandwidth utilization. Is there any way, or any plans to implement a way of using a single source for all those RADIUS requests? The ability of configuring one of the MX devices as a RADIUS proxy would be a nice feature
... View more
Mar 5 2018
2:55 AM
1 Kudo
Any updates on this one? I'm looking into deploying that design on a site in the near future and knowing beforehand how this solution is expected to perform would be quite useful. Thanks
... View more
Jan 24 2018
3:33 PM
@s4mmy wrote: Just something on this, we have about 180 Sierra Wireless AirCard 320U working fine with MX64's. You just need to make sure you have the firmware up to date, and turn off the autologon feature using the watcher on a PC. I second to that. I haven't tried MX64, but I've used AirCard 320U on MX100 (MX 13.28) with a Telstra SIM, without any issues.
... View more
Jan 21 2018
3:01 PM
1 Kudo
@MilesMeraki wrote: I had this on-going problem with one of our MX's. I opened a support case and Meraki support advised that this problem normally arises when the MX is having problems connecting to one of the registries. They manually changed the registry which ours connected to and I then stopped seeing these events in our event log. I'd advise contacting support so they can do the same for you. I see. I assume that the vpn registries that are currently assigned are not optimal. Thanks, I will contact the support about that
... View more
Jan 18 2018
6:38 PM
@PhilipDAth wrote: It has no effect at all on established tunnels. And usually, it has no affect on forming new tunnels as long as nothing has changed its IP address or port. Thanks PhilipDAth
... View more
Jan 18 2018
5:43 PM
2 Kudos
I keep seeing log messages like: Jan 19 11:15:46 HUB-MAST VPN registry connectivity change vpn_type: site-to-site, connectivity: true Jan 19 11:15:23 HUB-MAST VPN registry connectivity change vpn_type: site-to-site, connectivity: false Jan 19 11:14:29 HUB-MAST VPN registry connectivity change vpn_type: site-to-site, connectivity: true Jan 19 11:14:16 HUB-MAST VPN registry connectivity change vpn_type: site-to-site, connectivity: false Jan 19 10:48:27 HUB-MAST VPN registry connectivity change vpn_type: site-to-site, connectivity: true Jan 19 10:48:00 HUB-MAST VPN registry connectivity change vpn_type: site-to-site, connectivity: false Jan 19 10:46:56 HUB-MAST VPN registry connectivity change vpn_type: site-to-site, connectivity: true and on the VPN status: VPN Registry: Partially connected. This security appliance is able to connect to at least one VPN registry using outbound UDP port 9350. or MX is unable to reach VPN registry So my question is, does temporarily loosing connectivity to the VPN Registry affect the tunnels that have already been established, in any way?
... View more
Jan 9 2018
6:41 PM
@DCooper wrote: I knew the AutoVPN over usb was coming, just didn't realize it was in this public beta. So did it only fail over when the rules were there? I assumed it would failover to USB and be all or nothing and not pay any attention to load balancing or rules you have setup. I haven't tested but have it in the lab so can reproduce what you have setup. It currently runs v13.28. If I define a prefered link (WAN1) at the uplink selection policies, it looks like it's only trying to use WAN2 if it WAN1 fails. Load balance on uplinks option though, does utilize cellular in a case of WAN1/2 failure. Edit: Same thing applied on the earlier beta version too v14.20
... View more
Jan 9 2018
5:54 PM
@DCooper wrote: In the version you have access to we do not perform AutoVPN over USB-Cellular. It is working as expected. I performed a hard failure test, pulling off both WAN1/2 cables. It failed over USB-Cellular interface and when I had configured the uplink selection policies to use "Load balance on uplinks that are suitable for <performance class>" I was able to access the remote resources through VPN
... View more
Jan 9 2018
5:32 PM
Another bug that I want to point out in this scenario where 2xWAN links and a cellular interface are used is that if "Prefer WAN 1. Failover if poor performance for <performance class>" is defined, instead of "Load balance on uplinks that are suitable for <performance class>", traffic will never failover to the cellular interface.
... View more
Jan 9 2018
4:01 PM
That's the network design and what I've been trying to achieve. It would be really useful if there was an option where we could monitor, for troubleshooting purposes, the traffic shapping rules statistics: que depth, total drops, no buffer drops, exheed drops, drop rate etc.
... View more
Jan 8 2018
8:53 PM
@PhilipDAth wrote: Have you tried using 13.28, the current stable release candidate? I haven't used the 14.x series of beta code yet. I just installed 13.28, same result. The Policy applied is Fail over if uplink is down rather than the defined one
... View more
Jan 8 2018
8:32 PM
@PhilipDAth wrote: What software version are you using on the MX? MX 14.20
... View more
Jan 8 2018
8:27 PM
@PhilipDAth wrote: You should be able to specify a port - but you will probably have to wait for any existing cached flows to age out first. Try configuring it, and then giving the MX a reboot to make it take affect immediately. Note that modern RDP clients use UDP/3389 for their main transport - not TCP/3389. So create two rules, one matching UDP/3389 and TCP/3389. That is assuming that you don't have an RDS gateway, and then it will use TCP/443. In my case, the RDP server is a dedicated RDP server, so matching the whole IP address is more straightforward. I have tried using both Meraki's "Remote Desktop" traffic filter and protocol/port based definition with the same result, even after rebooting the MX I have also tried splitting the protocols to UDP and TCP or using more specific expressions like 192.168.134.0/24 UDP/3389 to 192.168.0.0/16 any. Same result
... View more
Jan 8 2018
7:30 PM
@PhilipDAth wrote: You need to configure the VPN flow preferences under: Security Appliance/Traffic Shapping/Flow Preferences/VPN Traffic Like this: I noticed that you haven't specified a port in your traffic filter rules. If I use a generic definition of something like 192.168.0.0/16:any to 192.168.0.0/16:any, it will work. However, I am trying to make it work based on either a specific port (TCP/UDP:3389) or a specific protocol (Remote Desktop). Generally I have specified 5 different performance classes based on applications and protocols and the expected performance, including SNMP, Citrix, Remote Desktop, DNS etc etc For example: Uplink Selection Policy
... View more
Jan 8 2018
6:07 PM
@PhilipDAth wrote: Is the traffic you are trying to apply it to going over AutoVPN, or over the Internet? AutoVPN
... View more
Jan 8 2018
5:26 PM
I can see in your case, @PhilipDAth that the policy for RDP is applied to the VPN connections: While in my case it appears that it hasn't been applied for some reason: RDP on VPN
... View more
Jan 8 2018
3:24 PM
Hi @PhilipDAth, My question is why the Policy that appears to be applied doesn't much to the defined one. As shown on the previous post's configuration, both ICMP protocol and DNS (any - any UDP/TCP 53) are configured to use the Load balance on uplinks that are suitable for "LOW AF21" Uplink selection policy, however only ICMP appears to have that policy applied. ICMP DNS
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 38887 | |
| 1 | 12905 | |
| 1 | 38832 |
© 2024 Cisco Systems, Inc.
