Agreed that the Z3 will not assign the same IP to a different mac address. But if the android device could use the IP it like even if it's duplicated with others.  You cannot block a device to connect to an SSID. The block policy only applied after it connected. If you select those issue is created by the same device with the same Mac address. You may assign a fixed IP to it then assign the block policy. But if the device doesn't take DHCP and insist to user its' own static IP. You would need to find the device and correct the settings. ... View more

Client VPN IP assignment is not using DHCP. So it cannot reserve the IP address  ... View more

Welcome to the Meraki community!  ... View more

If the ICMP ping is bidirectional that would proof at least the routing is ok. I would suggest you check the firewall rules on meraki site to site VPN, AWS and the server end to check if there is any rules might block the traffic. You may take a packet capture on the VMX end and filter out DNS to check if the respond DNS has forwarded to VMX or not to narrow down ... View more

The URL  www.msftconnecttest.com/redirect redirects to the MSN website. So it most likely it's the default website of the browser like Edge.  In the Access Control page for the SSID, there would be a setting "Captive portal strength". You may set it to 'Block all access until sign-on is complete' and it may help to force the device to open the splash page ... View more

1. Do these rules work differently with a Z3 vs a Z1?     There is no difference. Z3 and Z1 would work the same  2. Do they apply to traffic between hosts on the LAN ports?     Only if you have firewall rules configured. As you check there is no additional firewall configured.   I reckon you may take a packet capture via the dashboard Network-wide-->packet capture page. You may select the LAN interface and check the output if MX did forward the packet out while you testing the route. Or you may open a support case and call in for live troubleshooting ... View more