- About ZDonaldson
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
ZDonaldson
Getting noticed
Member since Feb 27, 2018
a week ago
Community Record
42
Posts
3
Kudos
0
Solutions
Badges
a week ago
yes, I was able to bring the tunnel down and back up. but when I do that, there is nothing in the logs for this particular tunnel... actually, with the problem I am having, I have to reconnect the tunnel several times to get it to pass traffic. I was hoping for logs that would show me which encryption config it is using when it comes up versus what it is using when it won't pass traffic. but, absolutely nothing is showing in the logs for this tunnel. I have another non-meraki tunnel that is showing event logs just fine. weird
... View more
a week ago
All, I have (2) non-meraki vpn tunnels on a particular MX device. one of the tunnels is showing events in the event log (lots of them), but the other tunnel which is having issues is literally showing nothing. I am using the Client filter and get no results in the Event Logs. I have also manually scanned through the logs both in the dashboard and via download, again no results. Is there a way to turn off/on events for a particular vpn connection?
... View more
08-20-2018
03:16 PM
All, is there a way to to give a particular user access to only one portion of the dashboard? In any particular network we have MX appliances, switches, and wireless APs. I want to provide my helpdesk staff access to the AP settings and config, but not to any of the other tabs on the dashboard.
... View more
08-20-2018
03:13 PM
Hi All, this is more of a dashboard question, but it's regarding wireless. does anyone know of a way to provide access only to the wireless configuration for a particular user? for a particular network, we have MX appliances, switches, and APs. I want to provide admin access to the AP tab to some helpdesk staff but not give them access to everything else. thanks in advance
... View more
08-17-2018
11:27 AM
@PhilipDAth wrote: @ww - actually you are right, that probably does work. You don't get this option if you are using either a template or don't have vlan mode enabled. I guess I have gotten used to disabling ports using the local status page because that works in all modes. I'm only using a single VLAN so i don't even see that option...I only use Meraki devices at small sites that generally don't have use for multiple VLANS
... View more
08-17-2018
11:24 AM
@PhilipDAth wrote: You are correct - you can only disable a LAN port on an MX port via the local status page. You can access the local status page remotely by enabling this functionality. https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Controlling_Remote_Access_to_the_Local_Status_Page and just to clarify, the Security Appliance Services are referring to turning on access via the WAN interface, so I would need to add public IPs to that setting and in my browser type the public IP for that MX device. This is not a way to allow access to the LAN interface over a vpn tunnel, which would be more secure, but alas is not available.
... View more
08-17-2018
11:18 AM
@PhilipDAth wrote: You are correct - you can only disable a LAN port on an MX port via the local status page. You can access the local status page remotely by enabling this functionality. https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_Meraki_Device_Local_Status_Page#Controlling_Remote_Access_to_the_Local_Status_Page Awesome, thanks!!
... View more
08-17-2018
11:06 AM
the only option I can find to disable a LAN port is via the local interface. I am remote, connecting via a site-to-site tunnel which does not seem to be allowing me to access the local interface. Is there any other method for disabling the LAN interface? Also, there is currently not any devices on the LAN that I could use to access it. but I want to make sure that interface is off so that no one places any devices behind it without my knowledge
... View more
08-16-2018
09:40 AM
so, we are only using 1 internet connection. I added the subnets to the tunnel one at a time. We are now seeing that it has stopped renegotiating constantly and the mismatched SPI errors have gone away. When we run pings between my site and one other site, no errors. if we add traffic to a 3rd site at the same time, we see some packet loss When a 4th site is added, its nearly 100% packet loss. Its looking to me like the MX100 just doesn't have enough resources to handle processing this many routes across a tunnel. very disappointing. This would be only 1 of many ways in which the Meraki MX has proven to not be ready for primetime in anything more than the smallest of environments.
... View more
08-15-2018
04:29 PM
fortigate support was able to confirm that the meraki is the culprit in initiating the phase 2 renegotiations. I have restarted the MX unit with no success, still constant renegotiating.
... View more
08-15-2018
03:21 PM
I am working on a non-meraki tunnel to a Fortigate firewall. It was solid until today when we added a bunch of additional networks to the tunnel config. nothing was changed in the IPSEC configuration, although we verified once again that the configs match exactly. We are seeing on the fortigate that there is an issue with the Phase 2, specifically with a non-match SPI. I will admit i don't know what an SPI is, but its causing issues. The Meraki logs, as is typical, are showing even less information. they are only showing constant phase 2 negotiation with no indication as to why. anyone have any sort of insight into this sort of issue?
... View more
08-09-2018
09:05 AM
All, this is not specifically a Meraki question, but hopefully someone is familiar: we are seeing issues with Windows 10 clients connecting via VPN and attempting to browse the internet via Edge browser. We have some clients configured for split tunneling and some not. for the clients not using split tunneling, they are able to use Internet Explorer to access nearly anything, but Edge doesn't work for a wide variety of sites. Some sites are internal web-based applications, some are just simply websites such as google. But, for every site that doesn't work in Edge, it always works in IE on the same client. Anyone else familiar with this? I've read the following information but it doesn't provide any details or workarounds: https://social.technet.microsoft.com/Forums/en-US/b3a687ae-345d-4c3f-9070-184b33fb1fc6/microsoft-edge-cant-access-vpn-ip-address-but-ie-11-can thanks
... View more
08-02-2018
04:57 PM
@BrandonS wrote: This is working as designed and as it should as far as I can tell. If the firewall rules are for all outbound traffic, your VPN clients are part of that outbound traffic when they route to the internet just like any other client. Yes, true, but the outbound internet traffic is no longer encrypted as part of a tunnel on its way out, which is when it should hit the firewall rules. at that point, the ports that are being blocked should not be involved in the outbound traffic.
... View more
08-02-2018
03:03 PM
All, I ran into an issue with vpn clients not having access to the internet when connected. We are not using the split-tunnel configuration, so internet access was via the MX device. To fix the issue, I found that I needed to disable two outbound firewall rules that I had created to prevent proxy vpn activity from bypassing our content filters. in one rule I denied outbound TCP 1723 and on another rule I denied outbound UPD 500,1701,4500 keeping in mind these are outbound rules and that client vpn connections are created inbound only, it seems to me this would lean towards being a bug-type of situation. I wouldn't expect the firewall rules to apply to inbound vpn traffic until after it has left the tunnel and is actually being sent out to the internet, at which point the vpn protocols are no longer in play. anyone have any thoughts or ideas on this setup?
... View more
07-31-2018
10:16 AM
I think the point being made here is that Meraki customers are getting tired of discovering very basic functionality that is missing. Something as basic as displaying the source of denied traffic should absolutely be included in any security appliance. This isn't something that should need to be "wished". Tracking down denied traffic is necessary for mitigating possible security issues. a security appliance should include the ability to display this very basic information.
... View more
07-12-2018
12:32 PM
1 Kudo
here is the answer supplied by Meraki Support: In order to advertise the addresses from a Meraki client VPN to the non-Meraki devices, go to Security Appliance > Configure > Site to Site VPN, and then under VPN Settings and then Local Networks, you'll see the IP range there(Currently the range is set to 192.168.55.0/24) and then set Use VPN to "Yes". my issue with the whole thing is how disjointed things are to simply create a vpn tunnel. I have general complaints about the process with Meraki. sometimes it is an improvement to do things differently than others, but in the case of VPN, which is built on a standard, its weird and frustrating that the various pieces necessary for building a tunnel are in different places. Its not built using a straight-foward workflow for the various steps required. Also a complaint, since I'm already ranting: when I created the non-meraki tunnel I added two Meraki sites. this visually appears to be one tunnel with two network ranges. but that's not what's happening under the hood. Its actually building two separate tunnels from each device. That took a lot of time to figure out...and its silly. thus endeth the rant.
... View more
07-11-2018
01:13 PM
All, I have set up a non-meraki vpn tunnel. I cannot figure out how to include the client vpn network range on the tunnel configuration. it only allows me to choose existing meraki networks but there is no option for the client vpn range.
... View more
05-07-2018
02:55 PM
Is it possible to create a content filter policy that is applied to only 1 particular client?
... View more
03-21-2018
01:58 PM
it was a known client that we work with often, otherwise I would have been all over the person who did that (my boss).
... View more
03-21-2018
10:55 AM
so, a visitor to the office used our guest wireless and connected to his network via vpn. His SSL VPN client connected but he couldn't contact any resources on his network. I wouldn't normally worry about this, BUT he jumped over to our internal LAN wireless, connected vpn, and was able to connect to what he needed. i wasn't around to troubleshoot the issue at the time, nor can I reproduce it. Just wondering if anyone has seen this before and if there is some known issue that I can correct.
... View more
03-21-2018
10:49 AM
I just finished the CMNO as well. it was fine, I suppose. It wasn't much in the way of actual training. Also, the lab portion did not at all actually train for the issues that were introduced in the troubleshooting section. I found that it was artificially hard because they created Meraki-specific problems that were never discussed in the "training" portion of the class. It seemed like everyone in the class struggled with the same exercise, because it was related to a problem that only happens with Meraki, not a general network/security problem.
... View more
03-16-2018
08:23 AM
@MerakiDaveThanks for the info. I reached out to my Meraki sales contact, but his response was to use the wish button, so it seems like we aren't all on the same page with this. Also, Since rolling out my MX I have contacted support regarding 5 different functions. they are such obvious and common things that I assumed I was just not finding them in the dashboard. Support responded to all 5 saying that those features/functions didn't exist. So, I'll continue to use the wish button, my sales contact, and these forums just to be thorough.
... View more
03-15-2018
11:47 AM
@Twiles- on another thread I recently learned that a more urgent way to request features is via the sales team. I've sent this idea to him and included a link to this forum thread. I've also recently installed Meraki, coming from both Sophos XG and SonicWALL. I've found Meraki to be very limiting in its feature set thus far compared to those products. on the upside, when I turn things on with Meraki, they just work. Sophos XG had tons of features, but was buggy and caused tons of outages. no more of that with the MX device. I am just frequently left desiring more functionality.
... View more
03-15-2018
10:55 AM
Hey All, on client vpn, is there a way to support only using short hostnames for DNS requests, rather than typing full FQDN? my previous security appliance supported this option.
... View more
03-15-2018
08:14 AM
@MerakiDaveThanks for the explanation. I've been using the Wish button when I find features that are missing when I compare the Meraki MX to other next-gen security products, including "features" that I would consider to be must-haves for any full-featured security product. Are you saying these should be going through the sales team to add more urgency than the wish button might provide? My thinking behind using the community for it was to give some sort of public view as to how many folks are requesting the same things that I am. Or maybe someone suggests something that I wouldn't even think on my own of but sounds great and I could add my own vote for that feature after seeing it posted. Maybe this community isn't the best place for technical reasons, but some sort of public view would be awesome in my opinion.
... View more
Latest Tags
No tags yet
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 260 | |
| 1 | 1174 | |
| 1 | 8601 |
