Meraki

Crocker · ‎Oct 18 2024

From what I can remember (and from what I posted) this was fixed in MX 18.205. There were no additional error messages to check for, I tracked it down by running a constant ping to something at an affected site and matching up packet drops with the DHCPv6 renewal logs showing up in the eventlog.

Crocker · ‎Oct 7 2024

The closest you can get is by going to Network-Wide -> Clients. Set the search filter from All to All Clients with a Policy. Then you can Download As either CSV or XML.

Crocker · ‎Sep 20 2024

If the only thing you're interested in is basic 802.1X/Radius (and you're a Microsoft shop), you could also look at Microsoft's Network Policy Server (NPS). We had it available as part of our Microsoft contracting, and it was a breeze to set up and configure. For HA, we just set up 2 NPS servers and mirrored policy configurations between them, then pointed our Meraki stuff at both of them. ISE only for Radius is major overkill, IMO. Now, if you're looking to move into a more zero-trust security approach and have the budget/time to fully build out/utilize ISE's full suite of features, it's hands-down one of the better options. But just for radius? That's pulling a wagon with a semi.

Crocker · ‎Sep 20 2024

Yes, I don't have a % failure rate, but API calls are not dependable at the moment. I also completely lost access to the dashboard itself in the past 10 minutes or so, it now times out when I try to even pull it up.

Crocker · ‎Sep 20 2024

Appears to be possibly affecting API calls, too EDIT: Appears to be heavily intermittent. I do have several MX's showing offline in the dashboard, but can confirm I can reach the 'offline' devices over the VPN. @Meraki hasn't learned not to make changes on Fridays, apparently

Crocker · ‎Sep 19 2024

Seconding BGP between the concentrators and your core(s)! We have a very similar setup - 2 DC's each with 2 hubs (each hub on a different ISP), DC's connected via dark fiber, with ~200 spoke sites participating in the AutoVPN. All the spokes are full-tunnel AutoVPN. We have BGP stood up between the concentrators and the core L3 switches at both DC's, with the core L3 switches advertising their local supernet into the AutoVPN and receiving routes to the spokes from the AutoVPN. The BGP routes are redistributed into EIGRP, and the core L3 switch at both DC's share routes with eachother via EIGRP. We control/massage load by adjusting the hub priority on a per-site basis to spread the love between both datacenters (and between the concentrators/ISP's at those datacenters). Prior to standing up BGP between the concentrators and the core switches, we were using OSFP and the 'local networks' to advertise the DC supernets into the AutoVPN. However, in this setup, if we lost one or both of the concentrators at one DC, the routes through that VPN concentrator never dropped out of AutoVPN and caused a black-hole situation. This may have been a configuration issue on our side, not sure. One gotcha I remember having to chase up was getting Meraki support to stop the hubs from routing between eachother over the AutoVPN (instead of dumping traffic to the L3 core and letting it route across the dark fiber).

Crocker · ‎Sep 19 2024

When can we expect the postmortem on this? What steps will be taken to try to ensure this doesn't happen again?

Crocker · ‎Sep 18 2024

Throwing in a +1 here. We were fine until around 10:00 AM Central Time, then everything broke/blipped. Luckily enough, we had one of four VPN concentrators running 18.107.X due to an issue with SSID tunneling on MX 18.2, so it picked up the load until we could reboot its buddies which are all on MX18.2.11.2

Crocker · ‎Sep 13 2024

You cannot 😞 If you want any sort of proper reporting on usage, you'll need to stand up a product to process Netflow from your devices.

Crocker · ‎Sep 10 2024

Looking for options to replace an existing L3 Catalyst 2960. Topology is something like: Internet <-> Core network <-> L3 Catalyst (acting as a router for a handful of 'facility' VLANs) <-> L2 Switches <-> Endpoints Everywhere I've deployed an MX has been a spoke facility connecting via the AutoVPN over the internet, so onboarding is pretty easy. Get the MX online, define the VLANs, enable Site-to-Site VPN, and you're off to the races. In this topology, the 'spoke' MX would be on the left-hand side of 'Internet'. Now, I've got a facility that's direct-connected to our network core via and under-the-street fiber connection, they do not have an internet connection. We have static routes on the core switch pointing at the L3 Catalyst to get traffic to the branch, and vice-versa on the L3 catalyst to get traffic to the core. Works great. To swap in an MX, though...Most of the topologies I've seen seem to assume the MX will be a spoke of the AutoVPN, not a direct connection to a network core. Any recommendations on this? Is it as simple as swapping the MX in, pointing my core static routes to whatever IP I give the WAN1 interface to get traffic to the facility VLANs, and adding a GWLR static route to my MX telling it to send everything to my core switch?

Crocker · ‎Aug 27 2024

This is *probably* way over-simplifying things, but we ended up with a similar situation at a couple sites. The way we handled it was using two unused VLANs to stretch the ISP connection from building A to building B, and vice-versa. Talked to the provider(s) to have them widen the subnet a smidge to handle 2 active devices, set IP's on WAN2 on both devices. So, we have ISP auto-failover for both buildings, but not warm/spare in the event we lose one of the MX's; The idea being that one of our regional spares could be easily swapped with the 'dead' MX if/when needed.

Crocker · ‎Aug 22 2024

Seems unlikely, but any chance your organization has more than 1000 networks? I know the Get Organization Networks API call defaults to a perpage value of 1000 if not otherwise specified. You can adjust the perpage value up to 10,000, if this happens to be the case. I don't see a similar limit documented for the other two API calls you mentioned. Recently ran into something similar with the Get Organization Devices API call, except that one doesn't let you request more than 1000 and instead makes you learn pagination (bleh).

Crocker · ‎Aug 22 2024

I asked via my ticket, but I got a pretty general answer. Not a direct quote: Engineering implemented some back-end changes which inadvertently irritated SAML. The changes were backed out, which resolved the problem.

Crocker · ‎Aug 15 2024

Ditto, seems to be working for my folks as well.

Crocker · ‎Aug 15 2024

Spent ~30 minutes on the call while the rep looked into the problem. Had to bail due to a meeting. No progress made thus far.

Crocker · ‎Aug 15 2024

Glad it's not just me. On the line with Support about it now, will post what we find out. Note: We're on N426, incase this is a node specific issue.

Crocker · ‎Aug 15 2024

Anyone else bumping into this today?

Crocker · ‎Jul 1 2024

Do you happen to have a bunch of Site-To-Site VPN Firewall rules? Or a small # of rules with a huge # of associated subnets/hosts? We tried using Z3's in our network, and they worked pretty well for a year or two until we started building out VPN firewall rules. After some point, some critical mass, it was apparently too much for the Z3's to handle and they became very unstable after VPN connectivity blipped for any reason.

Crocker · ‎Jun 7 2024

Seconding this. Put 0 faith in whatever it is Meraki is telling you is on your network, and absolutely do not use this information for anything related to security or auditing. I have 3 Nintendo XBox 360s on my network that can attest to this 🙂 Went digging through the Knowledgebase to see if this is explicitly called out anywhere that the client 'device types' are just semi-informed guesses. Closest thing I was able to find for reference is the following: Applying Policies by Device Type - Cisco Meraki Documentation

Crocker · ‎May 22 2024

Not much useful coming out of a packet capture. All I see are probes, no actual attempt to connect. Bummer.

Crocker · ‎May 21 2024

Same problem here. Coworkers also reporting the problem.

Crocker · ‎May 21 2024

Yeah, totally blank there too - no further attempts after the couple tries. I agree, probably some device-side thing...just I'm not aware of any mechanism for that in Windows. Hoped casting a net on the forums might fish up some clues.

Crocker · ‎May 21 2024

Hopefully this is a simple enough thing and I'm just missing something obvious. We have an SSID that requires a valid, domain-issued computer certificate to authenticate to. Occasionally, GP fails and doesn't properly configure the 'Network' in windows (y'know, like it doesn't set the security type to 802.1X, doesn't set the auth method to EAP-TLS, that sorta thing). Fixing this via a group policy update is pretty quick and simple; However, in the few instances this issue has cropped up, I only see a handful of failed authentication attempts and then radio silence regarding whichever client is acting up. So, I'll see client JohnPublicPC fail 802.1X a couple times and then nothing else at all. Like either Windows isn't even attempting to join the SSID, or the AP is straight-up refusing to even listen to the attempt. Hopefully this makes sense... Anyways, this 'lock out' seems to clear up within an hour or two and (assuming we've fixed the 'network' settings for the SSID in windows) everything works fine from that point forward.

Crocker · ‎Mar 14 2024

Culprit identified! Those date format strings are sneaky, would be lying if I said I'd never done that exact same thing.

Crocker · ‎Mar 14 2024

Noticed this when looking at an older thread a few minutes ago. Went back through my own post history, and sure enough! I've got something from April 116th, 2022! Pretty funny, minor bug

About Crocker

Crocker

Community Record

Badges