Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join nowAbout SimonReach
SimonReach
Building a reputation
Member since Jan 9, 2018
a week ago
Simon Peart
UK
Community Record
95
Posts
22
Kudos
3
Solutions
Badges
a week ago
4 Kudos
Just clarify, i've sorted it by doing a Group Policy unblock for the VPN Clients of ports 49152-65535 into the server address, this works.
... View more
a week ago
Thank you for the great response. So, Test-NetConnection -ComputerName 10.0.17.1 -Port 445, when running from the client on 10.0.100.174, works fine and connects straight away. Test-NetConnection -ComputerName 10.0.100.174 -Port 445, when running from the server on 10.0.17.1, fails the connection. Wireshark running over the vpn connection on the client, when the Test-NetConnection is being done from the server to the client, confirms that the client sees the request but it's blocked on the way back. 416 31.096235 10.0.17.1 10.0.100.174 TCP 66 [TCP Port numbers reused] 52323 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
... View more
a week ago
Hopefully someone will be able to assist with this. I have a client Group Policy rule that only allows specific traffic from a vpn client to a server, the server in question has an ip of 10.0.17.1 and the client is 10.0.100.174. Now there are rules that allows client access to the server for TCP ports 3389, 443, and 445. These work absolutely fine, so client machine can unc to the server and also rdp to the server without issue. I also need to allow a unc connection from the server back to the client, so i thought simple, allow port 445 to the vpn subnet...doesn't work, allow all traffic to the vpn subnet, doesn't work, i needed to allow all traffic to the server before it would work. I capture packet logs from when the server is trying to get a unc to the client and shove the data into ChatGPT but it moans it's too much data or just tells me the settings i have should work fine and i don't need anything more than port 445 which is already unblocked. So my question is, if the server on 10.0.17.1 is trying to unc to a client that uses a group policy, what specific traffic could potentially be getting blocked that needs unblocking, apart from 3389, 443 and 445?
... View more
Labels:
- Labels:
-
ACLs
-
Client VPN
-
Firewall
2 weeks ago
We just use the standard Windows client vpn, we don't use AnyConnect at all.
... View more
2 weeks ago
A group policy applied to a client VPN user is associated with the username and not the device. Is there anyway to change it to per device? We're trying to lock the client vpn down to the a point whereby a malicious character that has got the username, password and secret key will still have zero access to the network. The testing i've done by connecting my laptop and mobile to the vpn is that both will get the same policy, even if i only apply it to one of the ClientIDs, is there no way at all to do it via device?
... View more
2 weeks ago
Is there a way to apply a Group Policy to a device automatically? We do use RADIUS for authentication for logging onto the ClientVPN but that seems, from my reading up and understanding, to be based purely on the user. What i'd like is per device so that if a malicious party were to get my username, password and the secret key, they'd be able to log into the VPN but would have zero access if they weren't on a client that had been confirmed to be ok? edit: Just going through the event logs, the vpn clients never seem to change the MAC address at all when reconnecting to the client vpn from today back to February. So it looks like the MAC address must be remembered somehow based on a unique identifier from the machine that is being used to connect?
... View more
2 weeks ago
Sorry, i'm aware of that but my question is is if a user connects to the vpn with a new laptop and they've got no access, they ring me and say nothing works, i apply the relevant group policy to their new laptop and confirm everything works. End of the day, they disconnect from the VPN and then come back a few days later, will i need to apply the policy again or will Meraki remember that that device needs a certain policy and everything would just work without me having to reapply the policy to the laptop agian?
... View more
2 weeks ago
When a user connects to the Meraki Client VPN, it gets a MAC address that i can go into Network-Wide > Clients, do a search for the my clientvpn user account, click on the MAC Address for the machine that corresponds to my user and then assign a Device Policy to that client. How does Meraki assign the MAC address? If for example i connect my laptop to the client VPN from different locations, would it get a different MAC address or would the MAC stay the same, meaning, i only need to apply a policy to my machine once for the life span of the machine?
... View more
Labels:
- Labels:
-
Client VPN
-
Firewall
2 weeks ago
Been looking at locking our network down even more than it is and been using the Site to Site VPN firewall rules and they seem to be really nice to work with and you've got the ability to add multiple ports for a single rule e.g. Port 80,443, etc. With the Group Policy Layer 3 Firewall rules, you seem to either have a choice of Any, or doing a continuous group of ports e.g. 123-127, or adding a single port in. Is there no way to add multiple ports with commas to the Group Policies, like there is on the Site To Site VPN Firewall?
... View more
Labels:
- Labels:
-
Firewall
Jan 29 2025
3:52 AM
Think we've managed to solve it, we need an RD Gateway for it and a certificate. From what appears to be happening, the new Server 2022 RDS server is seeing every machine on the local LAN, meaning within the Data Centre, as being fine but anything that is across the SDWAN, despite being on the same domain and part of the same network, is external so a certificate and an RD Gateway is needed. Even VPN users connecting to the client vpn the Data Centre MX is being seen as external. Our Server2016 server doesn't require any of this and picks everything across the SDWAN as being internal.
... View more
Jan 29 2025
1:41 AM
No change i'm afraid, set it to be 1300 and nothing. The very strange thing is, it now seems to "work" on MS Edge on my computer in the headoffice when i connect through hostname, meaning i can log in but i can't run any of the apps, but if i try the ip address in Edge or either hostname or ip in Google Chrome, they still fail.
... View more
Jan 29 2025
1:22 AM
Telnet hostnamedc 80 and 443, i get blank screen. If i use a port that i know is blocked, i get a "could not open connect to the host, on port 1" error.
... View more
Jan 28 2025
10:36 AM
From my computer at the head office - I can ping the DCRDWeb server via ip address and hostname, confirming it's not a DNS issue. I can RDP to the DCRDWeb server. Accessing via ip address results in the same issue as accessing via hostname. If i connect to the ClientVPN that's configured on the MX at the DC, that fails with the same issue. Looking at the IIS logs on the DCRDWeb server, it logs me connecting and i'm getting a successful HELLO, according to the logs.
... View more
Jan 28 2025
8:22 AM
We've got multiple sites connected across an SDWAN via Meraki MXs and Meraki switches. We have our current Server2016 RDWeb server hosted at our head office, it's been working perfectly for years without issue and is accessible via client vpn and also from every other SDWAN site apart from our Data Centre, this has never been an issue before though. We are configuring a new Server2022 RDWeb Terminal Server in the Data Centre though. We can access the hostnameDC.domain.int/rdweb server without issue when accessing from other DC based servers and it'll redirect to the http://hostnameDC.domain.int/rdweb/Pages/en-US/login.aspx?ReturnUrl=/RDWeb/Pages/en-US/Default.aspx It will give us the login screen and we can login fine. When we access http://hostnameDC.domain.int/rdweb from outside the Data Centre, it will redirect to the logon page but the logon page will never load and never time out. We removed all Content Filtering from the DC, all the firewall rules, the ACL rules and still nothing. The only thing different about the DC site is the 2x Cisco 9300X switches that all the servers are plugged into, this Cisco switch stack does not have any traffic filtering at all. Any ideas please? Just some additional information. The Server2022 RDWeb server was exported from the DC to the headoffice, we can access the new RDWeb server when it's hosted at the headoffice from every other site, apart from the DC. This rules out a configuration issue with the new server.
... View more
Dec 16 2024
6:24 AM
Thank you to you and @PhilipDAth, this seems to be it. Changing the DHCP server over to the Windows DHCP server, it'll show you the unique ID for any devices getting IPs from it, is there anyway to see the unique ID in Meraki or is Meraki purely done via MAC?
... View more
Dec 15 2024
8:36 AM
Has anyone ever had issues with ip address reservations in DHCP not working at all? It works fine for Windows servers but the Ubuntu servers will get an ip but not the correct ip they should get. MAC addresses are all correct in the reservation, they match up with what's on the client screen, but the Ubuntu server will just get whatever ip is available on that vlan. This has been an issue since putting in the Cisco 9300X-24X-HM stack. We have the same issue whether the dhcp is being done by the stack or by the MX85s, DHCP works fine apart from the reservations for the Ubuntu servers. Meraki/Cisco support is looking at other issues with the 9300X stack, presume this is all related to that.
... View more
Labels:
- Labels:
-
Other
Dec 6 2024
1:48 AM
Thank you to you and @cmr, the bonding mode was changed to Mode 1, this is Active/Backup mode so is a switch independent mode so doesn't require the aggregation of the ports. I want to avoid port aggregation for the time being until all the faults with the switches are resolved.
... View more
Dec 4 2024
7:58 AM
Thank you for the response VivekT, we've got a brand new dual C9300X stack running CS 17.1.4 and we've had the issue with port aggregation, we had issues with 1 of the switches running out of memory and falling over and taking out the entire stack for 5 hours before it came back up and we had issues with DNS/DHCP not working reliably at all. It had been in place for a day before it went down but luckily it went down at midnight rather than midday.
... View more
Dec 4 2024
4:43 AM
Have a bonded pair of 10GbE ports on a Ubuntu server, bonded in the Round Robin mode, plugged into 2 stacked C9300X switches. There is an alert constantly coming up about MAC address flapping. Aggregating the 2 ports on the switches causes both ports to get blocked. Anyone who knows Ubuntu/Linux know what the bonding mode should be please? The Windows servers are working fine with Switch Independent SET configured.
... View more
Labels:
- Labels:
-
Other
Dec 4 2024
4:40 AM
I've sorted it, i've also removed those 2 rules as well. It was the SD-WAN policies with VPN Traffic. Essentially these were set to be "Fail over if poor performance", changed to "Fail over if uplink is down".
... View more
Dec 2 2024
6:25 AM
Hi everyone, we've got 2 WAN links to the internet at our main site. WAN 1 is a 200Mb link and WAN 2 is a 50Mb link. This is all configured through a Cisco Meraki MX and MS network. All of the Cisco phones were migrated today from CUCM to Webex Calling, all the phones are on a vlan of 1200 and in Flow Preferences within SDWAN & Traffic Shaping on Meraki, i've setup internet traffic for that VLAN to go out through WAN 2, so source is 10.1.200.0/24 with any port and any destination. I've also setup a rule that says any traffic going in to that vlan goes through WAN 2 as well, i've also added additional rules for any UDP traffic with a source port of 9000-9009 and 5060-5070 will go through WAN 2 when it comes from any vlan. The issue seems to be though that in Cisco Webex Calling management, when looking at the analytics, some of the public ip addresses for calls is the WAN1 public ip and some are WAN2 public ip. All the handsets are set up the exact same way so not sure why there is a difference. Anyone have any ideas why? We do have Webex Windows client on the client machines and all traffic that doesn't match the above rules go through WAN1. The issues we're having is WAN1 tends to be saturated with client and server traffic and WAN2 was gotten purely to be for any VoIP and Webex traffic.
... View more
Labels:
- Labels:
-
Other
Nov 12 2024
2:14 AM
2 Kudos
Thank you, looks like it's done the same as the data so will do that.
... View more
Nov 11 2024
9:04 AM
Installing 2 C9300X-Ms this coming weekend. I know i require 2 data stacking cables, going from stacking port 1 to port 2 on both switches. Never stacked power before though and i can't find if i need 2 power stacking cables as well or if a single power stacking cable is fine?
... View more
Labels:
- Labels:
-
Other
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 1435 | Jan 29 2025 3:52 AM | |
| 1182 | Dec 4 2024 4:40 AM | |
| 1856 | Oct 22 2024 2:51 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 4 | 266 | |
| 4 | 1041 | |
| 2 | 2131 | |
| 2 | 1974 | |
| 2 | 1986 |
© 2025 Cisco Systems, Inc.
