Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About Gordon
Gordon
Getting noticed
Member since Jan 12, 2018
Apr 19 2023
Community Record
49
Posts
10
Kudos
0
Solutions
Badges
Jul 28 2020
1:41 PM
1 Kudo
- When a failover occurs a GARP is not sent for the 1:1 NATs therefore in the case of a failover anything that uses our 1:1's stop working - The hit counters on the firewall rules don't work. I have verified this and also have confirmation from tech support. Client VPN. There isn't a way to apply different rules to users since you can't assign a static IP to a VPN client and the MAC address is not registered on the firewall so you can't apply a group policy to it. I tried but soon found out that these policies were being randomly assigned to different systems. No way to positively verify that firewalls rules are working as intended. We have a large number of rules since we deal with not only our own network but with two clients that connect directly to use and they each have over 10 subnets. I have spent countless hours trying to make sure that these rules work. The answer is to send them to syslog but try and work with thousands of syslog messages to determine you haven't missed something. Cosmetically they are horrible as well. Firewall rules are hard to read since you can't see everything in the little boxes they have. I am constantly coping and pasting to and from notepad just to view a firewall rule. Failover order doesn't make sense. At least not to me. Primary WAN1 Primary WAN2 Secondary WAN1 Secondary WAN2 This means that if something happens to the connection on the Primary WAN1 port the system fails over to the WAN2. Our WAN2 port is our cellular backup, not our first choice. I don't think many users will have a high-end secondary ISP connection. It just seems every time I try do something with these firewalls it is either very difficult to implement, it isn't supported or doesn't work. I have a Meraki firewall in a clients office and it is great there. It is a small office with very few firewall rules or anything. It is good if you just want a simple setup. As soon as you try anything complicated you start running in to problem.s
... View more
Jul 28 2020
5:52 AM
Well I have been posting a lot to the forums about trying to get these firewalls to work for me. I have yet to actually get an answer to any of them that works.
... View more
Jul 28 2020
5:50 AM
So I ran a test on the weekend using the following Primary WAN1 - ISP1 Primary WAN2 - ISP2 Secondary WAN1 - ISP1 Secondary WAN2 - not used. This did work. There is an issue though. When I tried to force a failover from the Secondary to the Primary using the dashboard I got a message stating that I needed to configure the WAN2 port and it would not let me switch. I had to go in and unplug the cell device, force the failover and plug it back in. Next I have to try Primary WAN1 - ISP1 Primary WAN2 - ISP1 Secondary WAN1 - ISP1 Secondary WAN2 - ISP2 - we want this as a last resort
... View more
Jul 13 2020
6:02 AM
So I now know what the issue is. When a failover occurs Meraki does not do a GARP for the 1:1 NAT addresses. Therefore the upstream device does not get updated. This is from the Meraki documents. Their solution is tell you to reboot the upstream device. So as far as I am concerned this is a major major flaw in the Meraki failover routine. It can take hours for the upstream device to refresh its ARP table meaning any services you are offering through those NATs will be down for hours. Defeats the whole purpose of having a failover.
... View more
Jun 29 2020
12:04 PM
I should have mentioned that this was working and then we swapped out the firewall via RMA. We have been using a virtual IP from the start. Thanks
... View more
Jun 29 2020
7:05 AM
We are having a strange problem with our MX84 firewalls. We currently have a subnet for our WAN 66.97.20.64/28. We have a number of NATs setup. When we are running on the one firewall everything works. When we failover to the other firewall all the addresses from 66.97.20.72 and up stop working. It acts like the subnet on the one firewall is set to 66.97.20.64/29. I have verified on the local page that it is set to 255.255.255.240 I even tried saving the IP address to a different IP address and it still does not work. I am just wondering if anyone else has run in to this issue. My next step is do a full reset of that firewall and let it rebuild.
... View more
Jun 19 2020
11:58 AM
I am wondering how the dynamic DNS on the MX works if you are using the MG21. Will DDNS use the public IP address on the MG or will it use the IP address assigned to it by the MG. We want to be able to do the following. We have enabled DDNS on the MX. I want to use a cname on GoDaddy to point our DNS to the DDNS address. This will update the DNS automatically and keep our websites available. It may be slow but they will work.
... View more
Jun 10 2020
5:24 AM
That is what I thought at first but then I looked at it again. The default for layer 3 rules for a group policy is allow any any and you can not remove or disable it. So that means any processing will stop at that rule. So in our case we have a number of rules that we want to apply to everyone. Since there is a default allow any any at the bottom of the group policy rules then all those rules need to be added to each group policy or they never get processed. To me it would make much more sense to be able to disable the rule and let the processing continue through the normal firewall rules.
... View more
Jun 9 2020
1:18 PM
I have been working with our firewall rules and group policies. If I understand this correctly if a system is assigned a group policy with a firewall rule in it, the regular firewall rules never get applied. So I can't for example use group policy to assign a user access to a server and still have all the other rules applied as well. I assume this is true as the default rule for a group policy is to allow any. I have looked and I can't find where it really addresses that in the documentation.
... View more
Jun 5 2020
6:04 AM
I have been putting some thought in to this and was wondering if either of these would work. I only want to use ISP 2 as a last resort since it is a cellular device connected to the WAN port. I don't have test environment to try this. Primary WAN 1 - ISP 1 Primary WAN 2 - ISP 1 Secondary WAN 1 - ISP 1 Secondary WAN 2 - ISP 2 or Primary WAN 1 - ISP 1 Primary WAN 2 - no used Secondary WAN 1 - ISP 1 Secondary WAN 2 - ISP 2
... View more
Jun 3 2020
12:31 PM
We currently have two MX84 firewalls setup with a 1GB connection (I know with the mx84 we only get 500MB but we get a real good price on the 1GB - $0) We are in the process of adding a backup ISP but it is going to be limited. and we only want it to be used as a last resort. From reading the order of failover is Primary - WAN 1 Primary - WAN 2 Secondary - WAN 1 Secondary - WAN 2 So if we only plug the device in to the Secondary would this achieve what we want or are there any issues to be considered.
... View more
Jun 1 2020
11:55 AM
It wasn't the Cisco partner it was Meraki. The documentation they supplied was wrong and it took two months to convince them of that. They changed the documentation.
... View more
Jun 1 2020
8:09 AM
2 Kudos
So this is my story regarding Meraki. Our Cisco rep suggested we look Meraki firewalls as a replacement two years ago. It took us two months to be able to configure them and use them. This was working with both Cisco and Meraki technicians. We have what we thought was a fairly simple architecture. Two Ciscos 3850 switches (not stacked) and two Meraki mMX84 firewalls. We wanted to ensure complete redundancy in case of hardware failure. That took two months to get a configuration to work. The documentation provided by Meraki did not work. I see it has since changed. Now we have been having other issues. The first case I opened was in regards to problems with bandwidth. We are not getting the bandwidth on these firewalls that we should. The tech that worked on the case had me upgrade the firewall to pre-release firmware and when that did not work did an RMA. There was no other troubleshooting done. I then opened a ticket because I was working on our firewall rules and needed a way to verify each rule. I was told by the tech that it wasn't possible. I tried pushing the issue and finally had to tell him to close the case. I opened an second case and the tech immediately told me how to check the syslogs and verify the rules. The last case I opened was because when our firewalls failover it is not working properly. I was told the tech would have to view a failover to see what was happening. I scheduled an after hours outage for it and notified support. I was told just to call in. I called in and sat in a queue waiting for a tech for over an hour and finally gave up. I don't believe that when you are calling in to tech support that over an hour on hold is an acceptable level of support. The part that concerns me is that Meraki does not seem to be concerned over over any of this. If we hadn't purchased five year licensing with these firewalls I probably would be looking at replacements rather than support at this time.
... View more
Jun 1 2020
7:53 AM
2 Kudos
Well I finally found out how to verify the firewall rules. It is possible. The syslog entry contains a keyword called pattern. After pattern it details the firewall rule that applied to the log entry so you can match it against the actual rule. It would have been nicer to have something like rule ## but I can work with this.
... View more
May 20 2020
9:39 AM
We have 8 internal subnets. Plus we have 30 routed subnets from our clients. These are controlled by approximately 60 firewall rules. It is very easy to make a mistake and end up with traffic going unintended places. Add to that our syslog server is handling over 300,000 message an hour. It is very easy to miss something. I have worked with a number of different firewalls and this is the first time I have had a firewall that I could not through a report, the dashboard find see what traffic was being handled by which firewall rule.
... View more
May 20 2020
9:28 AM
Yeah. This just doesn't work for me. I have about 60 rules on my firewalls. So when things are not working right I need to know why. We have a number of subnets on our network plus a number of clients that connect directly to us with a large number of subnets. So it is essential that I can verify that my firewall rules are working as they are. This means I need to be able to look at a rule and see what traffic it is allowing or blocking. Seeing it on my syslog server without any way to determine which rule it came from is not acceptable to us or our clients. To me this is a huge security issue. I need to positively verify a rule is working as intended.
... View more
May 20 2020
7:28 AM
I understand that. But what if there is a bug in their firewall. We have no way of knowing. I already know there is one bug because the rule I have specifically for syslog does not generate any hits and there are literally thousands of packets that should be hitting that rule. So if there is one bug there is a good chance there is another. I also realize that with any device or software there can be bugs but without a way to verify it is not good.
... View more
May 20 2020
7:16 AM
The issue is that it doesn't verify that the rule was the one that generated the log entry. It just says "a" rule in the list generated the log entry. So if you have a mistake in your rules you have no way of checking it to make sure it is the correct rule.
... View more
May 20 2020
5:38 AM
1 Kudo
I opened a ticket with support and their answer does not make sense. I have been working on tightening up my firewall rules. In doing so I noticed I had two rules that were not showing any hits and I know there should be. They are two rules allowing my log messages to go to my syslog server and they come different subnets. The response I got back was that the hit counter was not reliable to use my syslogs. The problem is the logs do not tell me which firewall rule triggered the log entry. So now my question becomes - how do I know that the rules are working the way I think they are supposed to be. It wouldn't be the first time I created a rule and then realized it wasn't exactly what I expected or wanted. So if I am not getting hits on those rules how do I know it is not another rule further down in the list that is allowing the traffic. This seems to be a big issue not being able to verify that your rules are working the way they are supposed to.
... View more
May 15 2018
10:52 AM
1 Kudo
I emailed the person who emailed my but I don't think I tried that one. I will do so. Thanks
... View more
May 15 2018
10:18 AM
I did. I can not even get a response from them. Makes me wonder if that is the way they treat their customers.
... View more
May 15 2018
9:54 AM
I attended a number of Meraki webinars. A number of them indicate that if you attend you can get a free switch, or firewall or access point. After attending the webinars I answered the email request to verify my address. I have even tried contacting someone there (not easy). In the end I never did receive anything.
... View more
May 4 2018
11:56 AM
1 Kudo
I think I may have a solution that will work for you. I was able to get full redundancy using this configuration across multiple switches.
... View more
Apr 26 2018
6:52 AM
I haven't even got to that point yet. I am working with a CISCO engineer on the problem and we think we have a solution. My problem is that I can not get everything forwarding let alone test for failover.
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 4821 | |
| 2 | 8493 | |
| 1 | 4547 | |
| 1 | 8976 | |
| 1 | 4211 |
© 2024 Cisco Systems, Inc.
