OK, thanks for the update. You will need to purchase Secure licenses separately. You need to reach out to your preferred partner, could be ATT, CDW etc and purchase licensing, which will be separate than Meraki licenses. You can order through many vendors directly.   https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/secure-client-og.html   There are three types. I would just suggest Plus if your doing VPN only to cover the amount of users that you need (minimum is still 25 I believe). That covers you to use the software from the Meraki side, and support/upgrades that you can get directly. Its not very expensive unless you have hundreds/thousands that you need. You can pool smart licenses together now so if you by 100, they can be shared between all devices that need licenses with smart licenses vs buying them per device.   As far as the SMB speeds, I cannot say for sure why its happening other than I don't have that problem over Secure client. The only other thing I can say is maybe upgrading the client to the newest version could help/fix the issue. ... View more

Gotcha. I missed that part. That part is controlled by Cisco/Merkai for the version and download links. If its not the right one that you are looking for then, you dont have a choice but to get the contract issue fixed so you can get the latest version. You could also open a case with Meraki and see if they can update the links, or manually provide you with the fixed version that you require.   WIthout having all of the info for your SMB problem, since you know the LAN speed is good, I would get a case open with Meraki as well with the VPN speeds. It seems like the firewall is the bottleneck again since the LAN speeds are good. 5MB/s is very slow. It could be TLS vs DTLS, or a border device is blocking udp/443 for DTLS etc. Support would be the best recourse here since they have way more insight to the settings etc than I would. Its likely going to require packet captures on both ends (MX and end user) to see what is happening in the PCAP to determine where the issue lies. It could be asymmetric routing and so on. I'm just speculating, but you said other protocols are fine so I doubt it would be that. 100% guessing on the MSS, UDP vs TCP etc. I have seen this slowness before just on SMB because it was not using DTLS (udp/443) and using TCP/443, but I would still expect better than 5mbps. ... View more

Thanks for the update. If you have access to the Meraki Client VPN page, you can download Secure client from there:   Honor system is for Secure licenses. As you can see from the top of the picture, you can just turn it on and go. There isn't a check to make sure you have the required licenses for Secure client yet.   Salesmen are always very responsive until they get the sale 🙂   As for the SMB speeds, there are too many variables to say on that one. It could be MTU settings, platform settings and so on. If you are getting the proper speeds via other protocols over Secure Client, then you know the platform and end devices are capable. I would suggest doing a packet capture (no im not Meraki support lol) to make sure you are not getting a bunch of retransmissions, or fragmentation for SMB. I do not have MPLS on my end, but my MX hooks directly into a MS aggregation switch (10gbps) into a access switch via 10gbps with all clients connecting at 1gbps and I get the speeds I mentioned above.   Again, you have to take into account the speed of the end user (the vpn users internet connection), your head end internet connection. Overhead for IPS/AMP/URL etc.  Im assuming that you get full speed internally, its just over the vpn that its slow? If so, then its something going on with MTU etc which a packet capture from the remote vpn user, and the server hosting SMB should tell you where the problem is. Im assuming you are using Windows Server for SMB shares   https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/slow-smb-file-transfer https://community.cisco.com/t5/security-knowledge-base/anyconnect-mtu/ta-p/3150017 https://www.reddit.com/r/sysadmin/comments/2mt3jc/reducing_mtu_value_to_fix_slow_cifssmb_over_vpn/   Hopefully this helps!       ... View more

I see the same thing. I also get a bunch of alerts of IP conflicts from the MX for 1.1.1.1 on a full stack reboot (MX-MS,MR). It will go away once everything is back up and going. Its odd though that it would be using IKE from a MR to establish connectivity to something. The whole GEO/IPS/URL/AMP is a mess as most of them dont show up in a customer facing log to even know its working, or what was blocked allowed. This has been a main gripe that we cannot see most L7 events or look at the system logs that contain all of those events.   Also my understanding was that IKE, and AC/Secure server processes listen on the Control Plane/Management Plane which we don't have access to at all on Meraki devices. I'm surprised that adding in L3/L7 rules will block the connection. We had an issue with bots/people trying to connect into Anyconnect over and over locking accounts out (im sure its scripts running from data breaches) and at the time there was no way to protect against this (months ago) on ASA/FTD platform because that was control plane/Management plane traffic without defining a Management access rule to block each IP individually which is not feasible. I'm not sure how Meraki is doing this. The new 9.18 code (for ASA) will rate limit and block unsuccessful connection attempts based on what you define the limit to be. To my knowledge Meraki has no such protections on this, so I don't have my VPN tied into AD for the accounts to get locked out.   On my MX95 I don't think its using the offloading as its built in (I believe on SNORT3). I still see the same as what is described with some connections being blocked. I had one happen yesterday that was allowed because I have it set to detection. If prevention is enabled, I never get anything. Nothing shows up in the log or on the security center. I'm assuming this is a bug. ... View more

In your last picture above it says (not VPN) so I dont know what that means at the bottom of the picture under the Umbrella DNS section. Secure Client is replacing Anyconnect. VPN (via Secure) is part of Secure Client now. Right now its the honor system, so if you enable it in the Meraki dashboard it just works. You should have corresponding licensing for all of your users, so im not just saying to turn it on without licensing (if you can since they have you restricted assuming you cant get there).    You could reach out to Cisco TAC if you have a CCO with that sales order number and see if they can add the contract(s) to your profile. If that fails, then that means you are not entitled to that contract. Im speculating, but usually that means the company dosent match, i.e. its registered to ATT.   Speed wise, its based on the MX hardware and your ISP connection. My MX95 for example can do 800Mbps max throughput, and I can get upwards of 600mbps real world speeds through it over Secure Client. ... View more

I would push to get 1:1 for time. This is 100% on Meraki, not you, so in co-term you should not take a hit at all. Licensing team will regen the license for 1:1 (or should) so you don't lose anything from it.   I am in PDL so they didnt have a choice to but give me the full time, but I dont see why they wouldn't in co-term either. ... View more

From my experience (if my understanding is correct of your problem) it depends on how they licensed it with Cisco. If its fully manged by ATT, they could have the licenses/support registered to ATT. If so, you cannot add the contract to your CCO for access to it by you. You would need to contact ATT every time you wanted to upgrade since they would be the owner of the device, and they would need to provide you access to the software.   If they registered the software/contract to you, then you can reach out and get the contract number or SO (Sales Order) number and associate it to your CCO for access to do it yourself. I doubt they would put it all in their name, but you never know. With subscription licensing it might make more sense to just keep it all in ATTs name and take from their pool of licenses as it's much less administrative effort just to keep up with their own vs every customer they manage.   If you notice it says Cisco Secure Client (Anyconnect) (Not VPN), and the Secure client does much more than VPN. NAM/Posture/ISE/etc are all part of Secure client. That part makes me think that VPN is not included. ... View more

As an update, downgrading did not fix the issue. I had a spare MX250 just to test on a different platform, and it does not work either with both 18.x code .2 and .4 patches, as well as 19.x firmware. I cannot go back further than 18.211.2. The MX250 was on 16.x code from 2020-2021, so it upgraded to org code, and I cloned my prod network to this one to retain all settings. I thought maybe something was off, so I factory reset it to make sure there was nothing lingering. I also turned off AMP/IPS/URL/GEO just to make sure nothing was interfering with the connection.   Maybe someone else can test this and its just a mistake on my side. WAN1 port forwarding works fine (WAN1 is my primary uplink). WAN2 port forwarding will not work. It gets a random port and not the port that its supposed to use. I have the ports I want forwarded setup, and I have the SD-WAN polices set to route all traffic (outbound) from WAN2 from that device, so inbound and outbound should be going over WAN2. All traffic is allowed, and the device is listening on that port.   I can see from the application that it is in fact using WAN 2 outbound so I know that works. However its getting a random port on the WAN2 (for example its supposed to use 3000, but gets 28437 from WAN2 public), but the device is using port 3000 inbound/oubound.   For example with the configured settings: Expected flow WAN2 public IP 1.1.1.1:3000-->172.16.1.1:3000   Actual flow WAN2 public IP 1.1.1.1:28473-->172.16.1.1:3000   WAN1 is correctly forwarding the port with this same configuration. I should also mention that I also setup 1:many NAT with the same results. I cannot do 1:1 NAT because WAN2 is a DHCP single /32 address and it will not let me do that. ... View more

Now as as new issue with 19.x code (I know its release candidate as of this time) port forwarding is not working on WAN2. It just fails to forward anything for WAN2 to the client device. Downgrading to 18.x latest patch to see if any of these issues clear up, but I would expect a release candidate to be 90-95% ready to go, and with that port forwarding is a core feature of a firewall. This is all really basic stuff that keeps getting broke with every release. ... View more

I just found out the hard way that there is a bug in the licensing where the Z4 are not supposed to follow the org highest licensing level. I.e. Your MXs are SD-WAN but your Z4 is ENT. Its supposed to work that way where you can mix and match. However due to this bug, you cant add it with a lower license level and you need to call licensing. They will convert whatever you bought for the Z4 ONLY to whatever your org licensing is until they fix this issue. ... View more

100% agree with you. If I have to put anther device in to terminate the VPN connections why have a MX in the first place? If I get to that point, I will just move back to FTD or some other vendor and get rid of the MX outright.   Going off topic, I cant really justify the "cloud" aspect of this anymore. Thats the only thing that makes Meraki unique, but with Cisco hosting FMC/CDO (Juniper Mist/Prisma Cloud etc) this same level can be achieved with other products that are way more stable and can actually do NAT. (been on the wishlist since 2015 that I know of). Sure Prisma cloud isnt as pretty or has as many options as Meraki, but I would choose stability over features anytime, and I feel this should always be the foundation of any vendor devices.   Issues I have specifically with MX line: 1. NAT support ( I know there is some support now with autovpn, but most people have unique subnets already if they are part of your org) I'm talking about Non meraki VPN NAT which lets face it 99% of us will run into network overlap esp with many peers with no recourse other than telling the remote party to NAT to us, or change your IP subnet. 2. AMP/IPS- No indication that its working. No reports, emails, log entries showing that its working as I stated above esp in V18/19. Maybe a bug? I have to rely on endpoint software telling me it blocked something, which means it made it past the firewall. 3. GEO blocking- Again no indication that its working. No logs showing whats blocked etc 4. Logging- Logging in general is horrible. Why Meraki dosent put the systems logs out there for those of us that want to look is beyond me. Following the keep it simple mantra I get it, but a button somewhere to turn it on for those that want to look/see would be great 5. Resource/Utilization- No way to tell CPU/RAM/System utilization other than the summary report which blends all of that together to spit out a number. I have had multiple MXs lock up on me with no way to tell other than calling support and it was due to CPU/RAM etc crashing the system. 6. URL Filtering- As far as I can tell it works, but no easy way to tell whats getting blocked. Logging has improved, but most of the time it didn't log the events, or it was an event burst so you still don't see it as they were dropped in the logs. 7. Mix and match license types (within MX). Not every site needs SD-WAN or Advanced Security licenses. The answer I always get is get a Z3/4 device (Dont get me started on Z4 being licensed like a MX now), but sometimes a remote site has 1gbps internet and those wont work and you have to go with a MX, so they are forcing you to buy unneeded licenses to use auto VPN etc. Only other choice is to setup another org and non-meraki VPN (see issues in original post).  8. FQDN VPN peers do not work (non meraki VPN IKEv2)  9. Support- I have nothing against the support team at all, but I already have a pretty good idea of whats happening when I call support and most of the time its because of a bug, or something I dont have access to. See the logging section. The default answer is do a packet capture which dosent identify if its L3/L7/AMP/IPS/GEO etc and you have to go through one by one and allow/deny to figure it out. I would say 90%+ of all my support calls have been due to bugs that require back-end logs to verify/confirm.   All of these issues are non existent on Cisco FTD/ASA, or Fortigate etc, and I consider them to be core functionally of what makes a firewall a firewall.   ... View more

Hi Phillip. Thanks for the info. On one of the VPNs it was a single subnet. However on the other it was multiple subnets. There was no rhyme or reason as to which one would work, and with the multi core support disabled, both were working without issue. I admit I didn't test with removed the second down to one subnet as it might have caused an issue for both of them, but again it was working fine that way with multicore disabled.   Thanks for the tip on the auto vpn as well.  I ended up just moving those devices into the org with the headend MX and so far everything has been working fine. Rather than fighting that in the future that might be what I do. I have a feeling that im going to have to do this again soon with other devices. ... View more

My understanding is that the Meraki device is listening for that DNS request. If you have a DNS server running like AD DNS on your network, you could create a forward lookup zone for my.meraki.com, or mx.meraki.com etc. and point to the clients to that DNS server which will fail to load anything. Thinking outside of the box, but have done this in the past as a quick way (without web filtering) to block entire domains. This obviously only works if you restrict the clients DNS to your DNS server. Otherwise they can just change it to something else and would work globally. ... View more

I upgraded my MX95 to 18.205 (or 6) at the time and it caused my CPU usage to go up to 100%. Since there isn't a way to check the CPU, I only caught it because of the summary report showing 100% utilization. I'm sure it would have eventually crashed. I'm still hesitant to move up to 18.207 because of that. I ended up rolling back to 18.107.7 and it was fine again. ... View more

I noticed this yesterday as well. The lookups were failing, but everything else was working for me. Internal webpages were also working over the vpn.   I thought with 18.x code it moved to Talos instead of Brighcloud? (or ealier. I cant remember)   ... View more

Same here. its going in and out for me. APs and MX showing offline ... View more