I'm not sure of the expected behaviour on the Meraki side but I know having implemented IP-SEC tunnels between Azure and Sophos, the tunnel will drop when there's no traffic going across it for a period of time. The tunnel is rebuilt as soon as packets need to cross it.   Sophos XG to Azure VPN drops randomly - Discussions - Sophos Firewall - Sophos Community ... View more

I also doubt this is an MX issue ...   But let's try and break the problem down further.  Perhaps next Monday, can you plug the MX circuit directly into the primary MX (this will obviously mean your warm spare is not working).  This will bypass your switch, and a couple fo connections. If the issue still happens, you know it is directly related to the ISP and primary MX (since everything else was not plugged in).   Does the uplink graph in the dashboard show any big traffic flows at this time (perhaps someone is doing a big upload/download).   This is the list of things monitored on the uplink: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failover#Failover_Connectivity_Tests  Ask Meraki support to confirm which event is causing the failover.  Perhaps it is the link going down.  Perhaps the link is staying up, but the tests are failing. ... View more

Did you ever resolve this, I have the exact same issue.  Non-meraki VPN to Azure is down but absolutly nothing in the event logs ... View more

That is a good rule, but remember that if a machine has a proxy avoidance app like Psiphon then that rule will not work.  The VPN app like this one hides the port traffic from the firewall because it cannot fully inspect traffic in the SSL/HTTPS channel.   Thanks, Barry O ... View more

Hello,   In the same situation here; * I can specify the DNS-servers for the VPN-adapter (Meraki VPN) which would overwrite the default DNS-server specified in Meraki (such as Google) to resolve FQDN however resolving shortnames such as "mycomputer" as opposed to "mycomputer.ad.mydomain.com" fails since you can't append DNS-suffixes since it is greyed out. You can specify a WINS-server in the VPN-settings; https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Resolving_NetBIOS_names_over_Client_VPN however I fail to see how that would solve that the client knows which domain to append to the shortname i.e. to append "ad.mydomain.com" to "computer1"? Unless its inferred when specifying a WINS-server (i.e. use the domain that the WINS-server belongs to)?  ... View more

In my experience whitelisting these ID events doesn't work very well or quickly.   Your best bet is start by changing the ruleset to balanced instead of security. The next option is change the mode to detection. Then it pinpoints which part of ID is detecting/causing it.   The other thing you might check is AMP settings.   Also if you can provide the SNORT link to the vulnerability it is detecting     ... View more

You just need to add the Private Subnet for the Client VPN on the: - Organization-wide settings - Options in this section apply to all VPN peers in this organization. - Non-Meraki VPN peers   add there that Client VPN subnet and all the VPN Client Traffic will be allowed to see the other end of the tunnel.  ... View more

@BradB I recently completed the CMNO.  I'd like to see a training course based around each set of Monitor and Configure tools (Network-wide, Teleworker gateway), each one it's own couple hour to half day class that goes much more in depth on each and the capabilities.  Feels like having a hands on course would really help with the "How to's" with Meraki.  Also since there can be different levels of administrators, a course aimed at usage in that role? ... View more

Hey @ZDonaldson,   I'm with @jdsilva on this one. I think in your case you would be better off having the WiFi network separate from the rest (you can do a Split network by selecting your combined in the Organization > Overview page)  and you can then assign Administrative rights for the relevant accounts to just that network.    Let us know if this works for you. 🙂   Giacomo ... View more

If it is a particularly strict need, you could clone the existing network and just put the devices you want in one of the networks and grant them access to that network.  Although this isn't particularly ideal unless you have to accomplish that.  Solely a workaround. Otherwise, as @PhilipDAth said, permissions aren't that granular.    ... View more

@PhilipDAth wrote: @ww - actually you are right, that probably does work.  You don't get this option if you are using either a template or don't have vlan mode enabled.  I guess I have gotten used to disabling ports using the local status page because that works in all modes. I'm only using a single VLAN so i don't even see that option...I only use Meraki devices at small sites that generally don't have use for multiple VLANS ... View more

Hey @ZDonaldson,      Thank you for your valuable feedback and I'm sorry to hear you are not very happy with the lack of some functionality.    Meraki tends to be a very customer-centric company and that's why we normally try and encourage people to make the requests via the Make a Wish button. These get actually read and prioritised based on the amount of people that are requesting them. I know finding a feature you deem basic missing can be very frustrating, but we have various types of different industries using our products and a also a number of people that are not technical but still have to manage a network; some customers are not  really interested at all in going "in depth" on who is doing what in their network and what we see as crucial is different for them.    On a personal level, being a bit of a security control freak,  I tend to agree with you and say that seeing who's being blocked is quite crucial to ensure the appropriate conversations are had with the abusing people. I perceive we have done some progress in this regard with the Security centre, which gives details on what is going when there is security breaches and malware issues. This feature could be expanded to cover firewall rules as well, but the only way to get this on the radar is to flag a need for it.    I think the best way to interact with Meraki is don't get frustrated, but make your voice heard as we definitely listen 🙂   Thanks!   Giacomo   ... View more

@CarolineS Much better! Thank you and your gnomes (or are they astronauts!?) for the update! ... View more