Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About ZDonaldson
ZDonaldson
Getting noticed
Member since Feb 27, 2018
01-29-2021
Sin City
Community Record
50
Posts
11
Kudos
0
Solutions
Badges
01-29-2021
09:18 AM
Hi All, I am seeing a site-to-site vpn connection bounce between wan interfaces. The reason given is 'wan performance' which makes me think it is seeing network latency and bouncing to the backup wan interface. I then see reason as 'primary uplink' which would be the performance issue clearing up and the vpn moving back to the primary interface. The problem with this is that the "failover" is happening every minute or so. Also, we are unable to find any actual performance issues on either of our WAN interfaces, both are testing clean with good latency. Is anyone familiar with how I can find more detailed information on why it is bouncing and possibly how to make it less sensitive...maybe make it stick to one WAN interface a bit more? I have thus far been unsuccessful in finding a configurable setting regarding VPN WAN interface failover.
... View more
06-05-2019
12:57 PM
crap, i already have it whitelisted as well but it's still appearing
... View more
06-05-2019
11:47 AM
great call! I found this in the logs: IDS Alert SSH_EVENT_RESPOVERFLOW
... View more
06-05-2019
10:42 AM
yes, I have run a pcap but it doesn't show anything obvious. I've also run a connection locally from a client on the same LAN as the server to eliminate the firewall connect. When I do it this way, I get no disconnection. If I use the same client but connect using the public IP address and back in via the MX unit, disconnect errors. I also have another external business partner connecting remotely and also getting the same disconnect problem. Its looking like the MX unit as the issue
... View more
06-05-2019
10:08 AM
All, I've set up a port forwarding rule to allow TCP 22 to a particular server, in order to support an SFTP server. The connection is successfully being made, user logs in, but file transfers disconnect after transferring only a few kb. Error code in the sftp server is: Winsock error - 10054 which indicates the remote client is disconnecting. Error code in the client indicates something similiar, the connection is being interrupted. I've used several different clients and even at one point changed SFTP server software. I'm getting the same results. As such, I've concluded it must be something related to my Meraki MX unit but I don't know where to find logs or what I would even check. Any ideas would be appreciated
... View more
05-20-2019
11:05 AM
So I guess your point is that there is no option to do it this way? if both of my HA units are in the same network and are the same device type, there is no way to specify a specific unit to be updated?
... View more
05-20-2019
10:48 AM
Hey All, probably a simple thing, but I'm not seeing how to do it. I would like to update firmware to my passive HA security appliance, fail over to the update unit, then update the "primary" unit. I can't seem to find a place in the dashboard that only allows me to update one particular appliance. Any ideas?
... View more
12-07-2018
04:08 PM
hi all, I have an mr42 that has previously worked. I tried a factory reset by holding the tiny button in for several seconds. after that, when attempting to boot I get a steady orange light followed by the rotating rainbow lights, then back to steady orange at which point the lights on the ethernet port go dark. am I dealing with a failure? any tips on recovering this thing?
... View more
09-14-2018
01:06 PM
yes, I was able to bring the tunnel down and back up. but when I do that, there is nothing in the logs for this particular tunnel... actually, with the problem I am having, I have to reconnect the tunnel several times to get it to pass traffic. I was hoping for logs that would show me which encryption config it is using when it comes up versus what it is using when it won't pass traffic. but, absolutely nothing is showing in the logs for this tunnel. I have another non-meraki tunnel that is showing event logs just fine. weird
... View more
09-13-2018
01:46 PM
All, I have (2) non-meraki vpn tunnels on a particular MX device. one of the tunnels is showing events in the event log (lots of them), but the other tunnel which is having issues is literally showing nothing. I am using the Client filter and get no results in the Event Logs. I have also manually scanned through the logs both in the dashboard and via download, again no results. Is there a way to turn off/on events for a particular vpn connection?
... View more
08-20-2018
03:16 PM
All, is there a way to to give a particular user access to only one portion of the dashboard? In any particular network we have MX appliances, switches, and wireless APs. I want to provide my helpdesk staff access to the AP settings and config, but not to any of the other tabs on the dashboard.
... View more
08-20-2018
03:13 PM
Hi All, this is more of a dashboard question, but it's regarding wireless. does anyone know of a way to provide access only to the wireless configuration for a particular user? for a particular network, we have MX appliances, switches, and APs. I want to provide admin access to the AP tab to some helpdesk staff but not give them access to everything else. thanks in advance
... View more
08-17-2018
11:27 AM
@PhilipDAth wrote: @ww - actually you are right, that probably does work. You don't get this option if you are using either a template or don't have vlan mode enabled. I guess I have gotten used to disabling ports using the local status page because that works in all modes. I'm only using a single VLAN so i don't even see that option...I only use Meraki devices at small sites that generally don't have use for multiple VLANS
... View more
08-17-2018
11:24 AM
@PhilipDAth wrote: You are correct - you can only disable a LAN port on an MX port via the local status page. You can access the local status page remotely by enabling this functionality. https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Controlling_Remote_Access_to_the_Local_Status_Page and just to clarify, the Security Appliance Services are referring to turning on access via the WAN interface, so I would need to add public IPs to that setting and in my browser type the public IP for that MX device. This is not a way to allow access to the LAN interface over a vpn tunnel, which would be more secure, but alas is not available.
... View more
08-17-2018
11:18 AM
@PhilipDAth wrote: You are correct - you can only disable a LAN port on an MX port via the local status page. You can access the local status page remotely by enabling this functionality. https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Controlling_Remote_Access_to_the_Local_Status_Page Awesome, thanks!!
... View more
08-17-2018
11:06 AM
the only option I can find to disable a LAN port is via the local interface. I am remote, connecting via a site-to-site tunnel which does not seem to be allowing me to access the local interface. Is there any other method for disabling the LAN interface? Also, there is currently not any devices on the LAN that I could use to access it. but I want to make sure that interface is off so that no one places any devices behind it without my knowledge
... View more
08-16-2018
09:40 AM
so, we are only using 1 internet connection. I added the subnets to the tunnel one at a time. We are now seeing that it has stopped renegotiating constantly and the mismatched SPI errors have gone away. When we run pings between my site and one other site, no errors. if we add traffic to a 3rd site at the same time, we see some packet loss When a 4th site is added, its nearly 100% packet loss. Its looking to me like the MX100 just doesn't have enough resources to handle processing this many routes across a tunnel. very disappointing. This would be only 1 of many ways in which the Meraki MX has proven to not be ready for primetime in anything more than the smallest of environments.
... View more
08-15-2018
04:29 PM
fortigate support was able to confirm that the meraki is the culprit in initiating the phase 2 renegotiations. I have restarted the MX unit with no success, still constant renegotiating.
... View more
08-15-2018
03:21 PM
I am working on a non-meraki tunnel to a Fortigate firewall. It was solid until today when we added a bunch of additional networks to the tunnel config. nothing was changed in the IPSEC configuration, although we verified once again that the configs match exactly. We are seeing on the fortigate that there is an issue with the Phase 2, specifically with a non-match SPI. I will admit i don't know what an SPI is, but its causing issues. The Meraki logs, as is typical, are showing even less information. they are only showing constant phase 2 negotiation with no indication as to why. anyone have any sort of insight into this sort of issue?
... View more
08-09-2018
09:05 AM
All, this is not specifically a Meraki question, but hopefully someone is familiar: we are seeing issues with Windows 10 clients connecting via VPN and attempting to browse the internet via Edge browser. We have some clients configured for split tunneling and some not. for the clients not using split tunneling, they are able to use Internet Explorer to access nearly anything, but Edge doesn't work for a wide variety of sites. Some sites are internal web-based applications, some are just simply websites such as google. But, for every site that doesn't work in Edge, it always works in IE on the same client. Anyone else familiar with this? I've read the following information but it doesn't provide any details or workarounds: https://social.technet.microsoft.com/Forums/en-US/b3a687ae-345d-4c3f-9070-184b33fb1fc6/microsoft-edge-cant-access-vpn-ip-address-but-ie-11-can thanks
... View more
08-02-2018
04:57 PM
@BrandonS wrote: This is working as designed and as it should as far as I can tell. If the firewall rules are for all outbound traffic, your VPN clients are part of that outbound traffic when they route to the internet just like any other client. Yes, true, but the outbound internet traffic is no longer encrypted as part of a tunnel on its way out, which is when it should hit the firewall rules. at that point, the ports that are being blocked should not be involved in the outbound traffic.
... View more
08-02-2018
03:03 PM
All, I ran into an issue with vpn clients not having access to the internet when connected. We are not using the split-tunnel configuration, so internet access was via the MX device. To fix the issue, I found that I needed to disable two outbound firewall rules that I had created to prevent proxy vpn activity from bypassing our content filters. in one rule I denied outbound TCP 1723 and on another rule I denied outbound UPD 500,1701,4500 keeping in mind these are outbound rules and that client vpn connections are created inbound only, it seems to me this would lean towards being a bug-type of situation. I wouldn't expect the firewall rules to apply to inbound vpn traffic until after it has left the tunnel and is actually being sent out to the internet, at which point the vpn protocols are no longer in play. anyone have any thoughts or ideas on this setup?
... View more
07-31-2018
10:16 AM
6 Kudos
I think the point being made here is that Meraki customers are getting tired of discovering very basic functionality that is missing. Something as basic as displaying the source of denied traffic should absolutely be included in any security appliance. This isn't something that should need to be "wished". Tracking down denied traffic is necessary for mitigating possible security issues. a security appliance should include the ability to display this very basic information.
... View more
07-12-2018
12:32 PM
1 Kudo
here is the answer supplied by Meraki Support: In order to advertise the addresses from a Meraki client VPN to the non-Meraki devices, go to Security Appliance > Configure > Site to Site VPN, and then under VPN Settings and then Local Networks, you'll see the IP range there(Currently the range is set to 192.168.55.0/24) and then set Use VPN to "Yes". my issue with the whole thing is how disjointed things are to simply create a vpn tunnel. I have general complaints about the process with Meraki. sometimes it is an improvement to do things differently than others, but in the case of VPN, which is built on a standard, its weird and frustrating that the various pieces necessary for building a tunnel are in different places. Its not built using a straight-foward workflow for the various steps required. Also a complaint, since I'm already ranting: when I created the non-meraki tunnel I added two Meraki sites. this visually appears to be one tunnel with two network ranges. but that's not what's happening under the hood. Its actually building two separate tunnels from each device. That took a lot of time to figure out...and its silly. thus endeth the rant.
... View more
07-11-2018
01:13 PM
All, I have set up a non-meraki vpn tunnel. I cannot figure out how to include the client vpn network range on the tunnel configuration. it only allows me to choose existing meraki networks but there is no option for the client vpn range.
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 6 | 8003 | |
| 2 | 13206 | |
| 1 | 4653 | |
| 1 | 5725 | |
| 1 | 39501 |
