Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About ZDonaldson
ZDonaldson
Getting noticed
Member since Feb 27, 2018
Jun 5 2024
Sin City
Community Record
57
Posts
12
Kudos
0
Solutions
Badges
Jun 3 2024
9:19 AM
Hey All, I have a non-Meraki VPN tunnel to a Sophos device. The tunnel is being disconnected periodically and not reconnecting. The logs on the Sophos unit indicate that the Meraki side is terminating the tunnel. What settings should I be looking at to ensure this tunnel stays up all the time?
... View more
Labels:
- Labels:
-
3rd Party VPN
-
Firewall
Sep 18 2023
11:41 AM
I have been struggling for months with this one: We have (2) internet connections. Our primary internet connection disconnects every other monday between 11:24 am and 11:30 am. It is acting as if it is on a regular schedule of some sort. The internet is fiber with an ethernet handoff from the provider. I am splitting the connection between our primary and hot spare MX units with an 8-port switch. I am doing the same with our back up internet on a separate small switch. I've swapped the small switches to ensure they aren't the issue, the problem stays with the primary internet connection. Cables have been changed. A ticket with the ISP was opened, they found nothing. The dashboard log shows this: Appliance status Primary uplink status change uplink: 0 I haven't been able to confirm with support if this event means the interface has lost physical link or if one of the internet connectivity tests has failed which is failing over the internet. I am guessing its a physical link loss because it fails back over to the primary almost immediately. I'm at my wits end on this so I will take all ideas.
... View more
Feb 8 2023
3:13 PM
crap, this raises a problem. The static IP they are going to assign will probably be a public IP, which means it won't be in the same subnet as the WAN interfaces...
... View more
Feb 8 2023
7:24 AM
One kinda strange thing I noticed: the IP addresses assigned to the interfaces on both appliances are in the 192.168.1.X range. This is via DHCP from the 5G device. I've changed the virtual IP to be on the same range. But when I look at the appliance status page, I see a status of failed and the interface is displaying this IP address: 172.58.75.152 its not stopping outbound traffic from working, but I'm not sure where that address is coming from.
... View more
Feb 8 2023
7:21 AM
I was able to use the ping test tool and specify the interface, and traffic out is working great. The status still says failed, but that may be due to the fact that I don't have the static IP assigned from the ISP yet, so the virtual IP is temporarily an address on a different subnet.
... View more
Feb 7 2023
10:57 AM
correct, the virtual IP will need to be a static IP address which I am able to obtain. I don't have that static IP assigned yet, so I'm just testing out the individual WAN ports to ensure they are getting addresses, and they do. But the status says failed which tells me they can't get out to the dashboard. I was kind of assuming this would work even without that virtual IP configured.
... View more
Feb 7 2023
10:48 AM
We have 2 MX units in warm spare configuration. For our backup internet connection, I'm trying to utilize a new 5G internet device from T-mobile. They will only assign 1 static IP per device. I was hoping the WAN interfaces would be able to accept DHCP addresses and the static could be assigned to the virtual interface. I am testing now, I verified that the DHCP addresses assigned to the WAN ports on each device are private IP ranges: 192.168.1.X and the status says "failed". Has anyone been able to make this sort of setup work, or does this ONLY work with 3 static public ip addresses.
... View more
Jan 29 2021
9:18 AM
Hi All, I am seeing a site-to-site vpn connection bounce between wan interfaces. The reason given is 'wan performance' which makes me think it is seeing network latency and bouncing to the backup wan interface. I then see reason as 'primary uplink' which would be the performance issue clearing up and the vpn moving back to the primary interface. The problem with this is that the "failover" is happening every minute or so. Also, we are unable to find any actual performance issues on either of our WAN interfaces, both are testing clean with good latency. Is anyone familiar with how I can find more detailed information on why it is bouncing and possibly how to make it less sensitive...maybe make it stick to one WAN interface a bit more? I have thus far been unsuccessful in finding a configurable setting regarding VPN WAN interface failover.
... View more
Jun 5 2019
12:57 PM
crap, i already have it whitelisted as well but it's still appearing
... View more
Jun 5 2019
11:47 AM
great call! I found this in the logs: IDS Alert SSH_EVENT_RESPOVERFLOW
... View more
Jun 5 2019
10:42 AM
yes, I have run a pcap but it doesn't show anything obvious. I've also run a connection locally from a client on the same LAN as the server to eliminate the firewall connect. When I do it this way, I get no disconnection. If I use the same client but connect using the public IP address and back in via the MX unit, disconnect errors. I also have another external business partner connecting remotely and also getting the same disconnect problem. Its looking like the MX unit as the issue
... View more
Jun 5 2019
10:08 AM
All, I've set up a port forwarding rule to allow TCP 22 to a particular server, in order to support an SFTP server. The connection is successfully being made, user logs in, but file transfers disconnect after transferring only a few kb. Error code in the sftp server is: Winsock error - 10054 which indicates the remote client is disconnecting. Error code in the client indicates something similiar, the connection is being interrupted. I've used several different clients and even at one point changed SFTP server software. I'm getting the same results. As such, I've concluded it must be something related to my Meraki MX unit but I don't know where to find logs or what I would even check. Any ideas would be appreciated
... View more
May 20 2019
11:05 AM
So I guess your point is that there is no option to do it this way? if both of my HA units are in the same network and are the same device type, there is no way to specify a specific unit to be updated?
... View more
May 20 2019
10:48 AM
Hey All, probably a simple thing, but I'm not seeing how to do it. I would like to update firmware to my passive HA security appliance, fail over to the update unit, then update the "primary" unit. I can't seem to find a place in the dashboard that only allows me to update one particular appliance. Any ideas?
... View more
Dec 7 2018
4:08 PM
hi all, I have an mr42 that has previously worked. I tried a factory reset by holding the tiny button in for several seconds. after that, when attempting to boot I get a steady orange light followed by the rotating rainbow lights, then back to steady orange at which point the lights on the ethernet port go dark. am I dealing with a failure? any tips on recovering this thing?
... View more
Sep 14 2018
1:06 PM
yes, I was able to bring the tunnel down and back up. but when I do that, there is nothing in the logs for this particular tunnel... actually, with the problem I am having, I have to reconnect the tunnel several times to get it to pass traffic. I was hoping for logs that would show me which encryption config it is using when it comes up versus what it is using when it won't pass traffic. but, absolutely nothing is showing in the logs for this tunnel. I have another non-meraki tunnel that is showing event logs just fine. weird
... View more
Sep 13 2018
1:46 PM
All, I have (2) non-meraki vpn tunnels on a particular MX device. one of the tunnels is showing events in the event log (lots of them), but the other tunnel which is having issues is literally showing nothing. I am using the Client filter and get no results in the Event Logs. I have also manually scanned through the logs both in the dashboard and via download, again no results. Is there a way to turn off/on events for a particular vpn connection?
... View more
Aug 20 2018
3:16 PM
All, is there a way to to give a particular user access to only one portion of the dashboard? In any particular network we have MX appliances, switches, and wireless APs. I want to provide my helpdesk staff access to the AP settings and config, but not to any of the other tabs on the dashboard.
... View more
Aug 20 2018
3:13 PM
Hi All, this is more of a dashboard question, but it's regarding wireless. does anyone know of a way to provide access only to the wireless configuration for a particular user? for a particular network, we have MX appliances, switches, and APs. I want to provide admin access to the AP tab to some helpdesk staff but not give them access to everything else. thanks in advance
... View more
Aug 17 2018
11:27 AM
@PhilipDAth wrote: @ww - actually you are right, that probably does work. You don't get this option if you are using either a template or don't have vlan mode enabled. I guess I have gotten used to disabling ports using the local status page because that works in all modes. I'm only using a single VLAN so i don't even see that option...I only use Meraki devices at small sites that generally don't have use for multiple VLANS
... View more
Aug 17 2018
11:24 AM
@PhilipDAth wrote: You are correct - you can only disable a LAN port on an MX port via the local status page. You can access the local status page remotely by enabling this functionality. https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Controlling_Remote_Access_to_the_Local_Status_Page and just to clarify, the Security Appliance Services are referring to turning on access via the WAN interface, so I would need to add public IPs to that setting and in my browser type the public IP for that MX device. This is not a way to allow access to the LAN interface over a vpn tunnel, which would be more secure, but alas is not available.
... View more
Aug 17 2018
11:18 AM
@PhilipDAth wrote: You are correct - you can only disable a LAN port on an MX port via the local status page. You can access the local status page remotely by enabling this functionality. https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Controlling_Remote_Access_to_the_Local_Status_Page Awesome, thanks!!
... View more
Aug 17 2018
11:06 AM
the only option I can find to disable a LAN port is via the local interface. I am remote, connecting via a site-to-site tunnel which does not seem to be allowing me to access the local interface. Is there any other method for disabling the LAN interface? Also, there is currently not any devices on the LAN that I could use to access it. but I want to make sure that interface is off so that no one places any devices behind it without my knowledge
... View more
Aug 16 2018
9:40 AM
so, we are only using 1 internet connection. I added the subnets to the tunnel one at a time. We are now seeing that it has stopped renegotiating constantly and the mismatched SPI errors have gone away. When we run pings between my site and one other site, no errors. if we add traffic to a 3rd site at the same time, we see some packet loss When a 4th site is added, its nearly 100% packet loss. Its looking to me like the MX100 just doesn't have enough resources to handle processing this many routes across a tunnel. very disappointing. This would be only 1 of many ways in which the Meraki MX has proven to not be ready for primetime in anything more than the smallest of environments.
... View more
Aug 15 2018
4:29 PM
fortigate support was able to confirm that the meraki is the culprit in initiating the phase 2 renegotiations. I have restarted the MX unit with no success, still constant renegotiating.
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 7 | 11643 | |
| 2 | 18970 | |
| 1 | 6538 | |
| 1 | 7957 | |
| 1 | 50796 |
© 2024 Cisco Systems, Inc.
