The Meraki Community
Register or Sign in
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • About ZDonaldson
ZDonaldson

ZDonaldson

Getting noticed

Member since Feb 27, 2018

‎01-29-2021

Sin City

Kudos from
User Count
IgorPodgorny
IgorPodgorny
1
ClaudiuBoar
ClaudiuBoar
1
IgTaveras
IgTaveras
1
Stv
Stv
1
sebas
sebas
1
View All
Kudos given to
User Count
BrandonS
BrandonS
1
SoCalRacer
SoCalRacer
1
PhilipDAth
Kind of a big deal PhilipDAth
3
Adam
Adam
1
jdsilva
jdsilva
1
View All

Community Record

50
Posts
11
Kudos
0
Solutions

Badges

CMNO
1st Birthday
50 Posts
First 5 Posts
First 10 Kudos
Lift-Off View All
Latest Contributions by ZDonaldson
  • Topics ZDonaldson has Participated In
  • Latest Contributions by ZDonaldson
  • « Previous
    • 1
    • 2
  • Next »

Site-to-Site VPN Connection Bouncing Between WAN Interfaces

by ZDonaldson in Security / SD-WAN
‎01-29-2021 09:18 AM
‎01-29-2021 09:18 AM
Hi All,   I am seeing a site-to-site vpn connection bounce between wan interfaces.  The reason given is 'wan performance' which makes me think it is seeing network latency and bouncing to the backup wan interface.  I then see reason as 'primary uplink' which would be the performance issue clearing up and the vpn moving back to the primary interface.   The problem with this is that the "failover" is happening every minute or so.  Also, we are unable to find any actual performance issues on either of our WAN interfaces, both are testing clean with good latency.     Is anyone familiar with how I can find more detailed information on why it is bouncing and possibly how to make it less sensitive...maybe make it stick to one WAN interface a bit more?  I have thus far been unsuccessful in finding a configurable setting regarding VPN WAN interface failover. ... View more

Re: SFTP session disconnecting

by ZDonaldson in Security / SD-WAN
‎06-05-2019 12:57 PM
‎06-05-2019 12:57 PM
crap, i already have it whitelisted as well but it's still appearing ... View more

Re: SFTP session disconnecting

by ZDonaldson in Security / SD-WAN
‎06-05-2019 11:47 AM
‎06-05-2019 11:47 AM
great call!  I found this in the logs: IDS Alert SSH_EVENT_RESPOVERFLOW     ... View more

Re: SFTP session disconnecting

by ZDonaldson in Security / SD-WAN
‎06-05-2019 10:42 AM
‎06-05-2019 10:42 AM
yes, I have run a pcap but it doesn't show anything obvious.   I've also run a connection locally from a client on the same LAN as the server to eliminate the firewall connect.  When I do it this way, I get no disconnection.   If I use the same client but connect using the public IP address and back in via the MX unit, disconnect errors.   I also have another external business partner connecting remotely and also getting the same disconnect problem.  Its  looking like the MX unit as the issue ... View more

SFTP session disconnecting

by ZDonaldson in Security / SD-WAN
‎06-05-2019 10:08 AM
‎06-05-2019 10:08 AM
All,   I've set up a port forwarding rule to allow TCP 22 to a particular server, in order to support an SFTP server.   The connection is successfully being made, user logs in, but file transfers disconnect after transferring only a few kb.     Error code in the sftp server is: Winsock error - 10054  which indicates the remote client is disconnecting.   Error code in the client indicates something similiar, the connection is being interrupted.     I've used several different clients and even at one point changed SFTP server software.  I'm getting the same results.   As such, I've concluded it must be something related to my Meraki MX unit but I don't know where to find logs or what I would even check.   Any ideas would be appreciated   ... View more

Re: Firmware Update to HA unit

by ZDonaldson in Security / SD-WAN
‎05-20-2019 11:05 AM
‎05-20-2019 11:05 AM
So I guess your point is that there is no option to do it this way?  if both of my HA units are in the same network and are the same device type, there is no way to specify a specific unit to be updated? ... View more

Firmware Update to HA unit

by ZDonaldson in Security / SD-WAN
‎05-20-2019 10:48 AM
‎05-20-2019 10:48 AM
Hey All,   probably a simple thing, but I'm not seeing how to do it.   I would like to update firmware to my passive HA security appliance, fail over to the update unit, then update the "primary" unit.   I can't seem to find a place in the dashboard that only allows me to update one particular appliance.  Any ideas? ... View more

mr42 lights

by ZDonaldson in Wireless LAN
‎12-07-2018 04:08 PM
‎12-07-2018 04:08 PM
hi all,   I have an mr42 that has previously worked.  I tried a factory reset by holding the tiny button in for several seconds.   after that, when attempting to boot I get a steady orange light followed by the rotating rainbow lights, then back to steady orange at which point the lights on the ethernet port go dark.   am I dealing with a failure?  any tips on recovering this thing? ... View more

Re: non-meraki vpn tunnel not appearing in event logs

by ZDonaldson in Security / SD-WAN
‎09-14-2018 01:06 PM
‎09-14-2018 01:06 PM
yes, I was able to bring the tunnel down and back up.  but when I do that, there is nothing in the logs for this particular tunnel...   actually, with the problem I am having, I have to reconnect the tunnel several times to get it to pass traffic.  I was hoping for logs that would show me which encryption config it is using when it comes up versus what it is using when it won't pass traffic.   but, absolutely nothing is showing in the logs for this tunnel.   I have another non-meraki tunnel that is showing event logs just fine.  weird ... View more

non-meraki vpn tunnel not appearing in event logs

by ZDonaldson in Security / SD-WAN
‎09-13-2018 01:46 PM
‎09-13-2018 01:46 PM
All,   I have (2) non-meraki vpn tunnels on a particular MX device.  one of the tunnels is showing events in the event log (lots of them), but the other tunnel which is having issues is literally showing nothing.   I am using the Client filter and get no results in the Event Logs.  I have also manually scanned through the logs both in the dashboard and via download, again no results.   Is there a way to turn off/on events for a particular vpn connection?  ... View more

user access to only one section of the dashboard

by ZDonaldson in Dashboard & Administration
‎08-20-2018 03:16 PM
‎08-20-2018 03:16 PM
All,   is there a way to to give a particular user access to only one portion of the dashboard?   In any particular network we have MX appliances, switches, and wireless APs.  I want to provide my helpdesk staff access to the AP settings and config, but not to any of the other tabs on the dashboard.       ... View more

Wireless management access

by ZDonaldson in Wireless LAN
‎08-20-2018 03:13 PM
‎08-20-2018 03:13 PM
Hi All,   this is more of a dashboard question, but it's regarding wireless.   does anyone know of a way to provide access only to the wireless configuration for a particular user?  for a particular network, we have MX appliances, switches, and APs.  I want to provide admin access to the AP tab to some helpdesk staff but not give them access to everything else.   thanks in advance ... View more

Re: Disable LAN port remotely?

by ZDonaldson in Security / SD-WAN
‎08-17-2018 11:27 AM
‎08-17-2018 11:27 AM
@PhilipDAth wrote: @ww - actually you are right, that probably does work.  You don't get this option if you are using either a template or don't have vlan mode enabled.  I guess I have gotten used to disabling ports using the local status page because that works in all modes. I'm only using a single VLAN so i don't even see that option...I only use Meraki devices at small sites that generally don't have use for multiple VLANS ... View more

Re: Disable LAN port remotely?

by ZDonaldson in Security / SD-WAN
‎08-17-2018 11:24 AM
‎08-17-2018 11:24 AM
@PhilipDAth wrote: You are correct - you can only disable a LAN port on an MX port via the local status page.   You can access the local status page remotely by enabling this functionality. https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Controlling_Remote_Access_to_the_Local_Status_Page and just to clarify, the Security Appliance Services are referring to turning on access via the WAN interface, so I would need to add public IPs to that setting and in my browser type the public IP for that MX device.    This is not a way to allow access to the LAN interface over a vpn tunnel, which would be more secure, but alas is not available. ... View more

Re: Disable LAN port remotely?

by ZDonaldson in Security / SD-WAN
‎08-17-2018 11:18 AM
‎08-17-2018 11:18 AM
@PhilipDAth wrote: You are correct - you can only disable a LAN port on an MX port via the local status page.   You can access the local status page remotely by enabling this functionality. https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Controlling_Remote_Access_to_the_Local_Status_Page Awesome, thanks!! ... View more

Disable LAN port remotely?

by ZDonaldson in Security / SD-WAN
‎08-17-2018 11:06 AM
‎08-17-2018 11:06 AM
the only option I can find to disable a LAN port is via the local interface.   I am remote, connecting via a site-to-site tunnel which does not seem to be allowing me to access the local interface.   Is there any other method for disabling the LAN interface?   Also, there is currently not any devices on the LAN that I could use to access it.  but I want to make sure that interface is off so that no one places any devices behind it without my knowledge ... View more

Re: non-meraki vpn - constant renegotiation

by ZDonaldson in Security / SD-WAN
‎08-16-2018 09:40 AM
‎08-16-2018 09:40 AM
so, we are only using 1 internet connection.   I added the subnets to the tunnel one at a time.   We are now seeing that it has stopped renegotiating constantly and the mismatched SPI errors have gone away.   When we run pings between my site and one other site, no errors.   if we add traffic to a 3rd site at the same time, we see some packet loss   When a 4th site is added, its nearly 100% packet loss.   Its looking to me like the MX100 just doesn't have enough resources to handle processing this many routes across a tunnel.  very disappointing.   This would be only 1 of many ways in which the Meraki MX has proven to not be ready for primetime in anything more than the smallest of environments. ... View more

Re: non-meraki vpn - constant renegotiation

by ZDonaldson in Security / SD-WAN
‎08-15-2018 04:29 PM
‎08-15-2018 04:29 PM
fortigate support was able to confirm that the meraki is the culprit in initiating the phase 2 renegotiations.   I have restarted the MX unit with no success, still constant renegotiating.   ... View more

non-meraki vpn - constant renegotiation

by ZDonaldson in Security / SD-WAN
‎08-15-2018 03:21 PM
‎08-15-2018 03:21 PM
I am working on a non-meraki tunnel to a Fortigate firewall.   It was solid until today when we added a bunch of additional networks to the tunnel config.  nothing was changed in the IPSEC configuration, although we verified once again that the configs match exactly.   We are seeing on the fortigate that there is an issue with the Phase 2, specifically with a non-match SPI.  I will admit i don't know what an SPI is, but its causing issues.   The Meraki logs, as is typical, are showing even less information.  they are only showing constant phase 2 negotiation with no indication as to why.   anyone have any sort of insight into this sort of issue? ... View more

VPN with Edge browser issue

by ZDonaldson in Security / SD-WAN
‎08-09-2018 09:05 AM
‎08-09-2018 09:05 AM
All,   this is not specifically a Meraki question, but hopefully someone is familiar:   we are seeing issues with Windows 10 clients connecting via VPN and attempting to browse the internet via Edge browser.  We have some clients configured for split tunneling and some not.     for the clients not using split tunneling, they are able to use Internet Explorer to access nearly anything, but Edge doesn't work for a wide variety of sites. Some sites are internal web-based applications, some are just simply websites such as google.  But, for every site that doesn't work in Edge, it always works in IE on the same client.   Anyone else familiar with this?  I've read the following information but it doesn't provide any details or workarounds:   https://social.technet.microsoft.com/Forums/en-US/b3a687ae-345d-4c3f-9070-184b33fb1fc6/microsoft-edge-cant-access-vpn-ip-address-but-ie-11-can   thanks ... View more

Re: Client VPN - Internet issue

by ZDonaldson in Security / SD-WAN
‎08-02-2018 04:57 PM
‎08-02-2018 04:57 PM
@BrandonS wrote: This is working as designed and as it should as far as I can tell.  If the firewall rules are for all outbound traffic, your VPN clients are part of that outbound traffic when they route to the internet just like any other client.   Yes, true, but the outbound internet traffic is no longer encrypted as part of a tunnel on its way out, which is when it should hit the firewall rules.  at that point, the ports that are being blocked should not be involved in the outbound traffic.     ... View more

Client VPN - Internet issue

by ZDonaldson in Security / SD-WAN
‎08-02-2018 03:03 PM
‎08-02-2018 03:03 PM
All,    I ran into an issue with vpn clients not having access to the internet when connected.  We are not using the split-tunnel configuration, so internet access was via the MX device.   To fix the issue, I found that I needed to disable two outbound firewall rules that I had created to prevent proxy vpn activity from bypassing our content filters.   in one rule I denied outbound TCP 1723 and on another rule I denied outbound UPD 500,1701,4500   keeping in mind these are outbound rules and that client vpn connections are created inbound only, it seems to me this would lean towards being a bug-type of situation. I wouldn't expect the firewall rules to apply to inbound vpn traffic until after it has left the tunnel and is actually being sent out to the internet, at which point the vpn protocols are no longer in play.   anyone have any thoughts or ideas on this setup? ... View more

Re: How to find out what is hitting a deny rulle on the MX

by ZDonaldson in Security / SD-WAN
‎07-31-2018 10:16 AM
6 Kudos
‎07-31-2018 10:16 AM
6 Kudos
I think the point being made here is that Meraki customers are getting tired of discovering very basic functionality that is missing.  Something as basic as displaying the source of denied traffic should absolutely be included in any security appliance.  This isn't something that should need to be "wished".   Tracking down denied traffic is necessary for mitigating possible security issues.  a security appliance should include the ability to display this very basic information. ... View more

Re: non-meraki vpn, include client vpn

by ZDonaldson in Security / SD-WAN
‎07-12-2018 12:32 PM
1 Kudo
‎07-12-2018 12:32 PM
1 Kudo
here is the answer supplied by Meraki Support:   In order to advertise the addresses from a Meraki client VPN to the non-Meraki devices, go to Security Appliance > Configure > Site to Site VPN, and then under VPN Settings and then Local Networks, you'll see the IP range there(Currently the range is set to 192.168.55.0/24) and then set Use VPN to "Yes".   my issue with the whole thing is how disjointed things are to simply create a vpn tunnel.  I have general complaints about the process with Meraki.  sometimes it is an improvement to do things differently than others, but in the case of VPN, which is built on a standard, its weird and frustrating that the various pieces necessary for building a tunnel are in different places.  Its not built using a straight-foward workflow for the various steps required.   Also a complaint, since I'm already ranting:  when I created the non-meraki tunnel I added two Meraki sites.  this visually appears to be one tunnel with two network ranges.  but that's not what's happening under the hood.  Its actually building two separate tunnels from each device.  That took a lot of time to figure out...and its silly.   thus endeth the rant. ... View more

non-meraki vpn, include client vpn

by ZDonaldson in Security / SD-WAN
‎07-11-2018 01:13 PM
‎07-11-2018 01:13 PM
All,   I have set up a non-meraki vpn tunnel.     I cannot figure out how to include the client vpn network range on the tunnel configuration.  it only allows me to choose existing meraki networks but there is no option for the client vpn range. ... View more
  • « Previous
    • 1
    • 2
  • Next »
Kudos from
User Count
IgorPodgorny
IgorPodgorny
1
ClaudiuBoar
ClaudiuBoar
1
IgTaveras
IgTaveras
1
Stv
Stv
1
sebas
sebas
1
View All
Kudos given to
User Count
BrandonS
BrandonS
1
SoCalRacer
SoCalRacer
1
PhilipDAth
Kind of a big deal PhilipDAth
3
Adam
Adam
1
jdsilva
jdsilva
1
View All
My Top Kudoed Posts
Subject Kudos Views

Re: How to find out what is hitting a deny rulle on the MX

Security / SD-WAN
6 8003

Re: Blocking VPN outbound/ IPVanish

Security / SD-WAN
2 13206

Re: non-meraki vpn, include client vpn

Security / SD-WAN
1 4653

Re: web usage report

Security / SD-WAN
1 5725

Re: Meraki Certifications

Off the Stack
1 39501
View All
Powered by Khoros
custom.footer.
  • Community Guidelines
  • Cisco Privacy
  • Khoros Privacy
  • Privacy Settings
  • Terms of Use
© 2023 Meraki