Meraki

RWelch

Meraki Licensing FAQs as of 8/7/24 (documentation doesn't reflect any changes). Perhaps it's forthcoming?

AYEN

Hi @CarolineS , Yes, I going to update these concerns once I got more information.

kYutobi

CONGRATS to everyone participating. Meraki is winning. 💚

SeanW

Small update on this issue. FW 18.211.4 was stable and did not have the reboot issue. I've updated the MX to 19.1.6 and so far the issue hasn't returned.

from_afar

Thanks. I have and had that exempted as well (I haven't made any changes there in weeks) but something was still blocking it. I searched for the domain in the Reporting > Core reports > Activity Search and it always showed as "allowed" not blocked nor selectively proxied. This is what confuses me the most; it seems to consistently not report in Activity Search what is actually happening to the clients. Not sure why, but that has been the case multiple times.

Brash

There's a few ways I can think of (potentially license dependent). 1. You can configure the clients to point to the MX for DNS resolution. You can then point your MX to the Umbrella Virtual Appliance as its resolver. The downside of this is the VA will log that all requests come from your MX rather than individual clients 2. You can integrate the Meraki MX directly with Umbrella. This allows the MX to send internal domain lookups to your internal resolver, and public domain lookups to Umbrella. Manually Integrating Cisco Umbrella with Meraki Networks - Cisco Meraki Documentation 3. More of a hack job method, but if there's specific domains you want the MX to have resolution for to allow your rules to work, you can setup one computer to periodically send DNS requests for those domains out to an Internet based resolver so the MX can observe those lookups.

JessIT1

Update from Meraki support Your concern is valid, and the situation calls for a clear understanding of how to interpret and handle these logs. If you're seeing an "AnyConnect VPN connection established" log entry for a known malicious IP, it can indeed be alarming, even if no credentials were used or access was gained. The "connection established" log might only indicate that the malicious actor initiated a VPN handshake, not that they successfully authenticated. The actor would need valid credentials (username and password or certificate) to fully establish a session and access resources. Also some systems log the handshake as "established" regardless of authentication success. If this IP is flagged for malicious activities like HTTP scanning and SSH brute force, it suggests automated probing or attacks. The IP scanning your public-facing WAN is attempting to connect via AnyConnect but may not have succeeded beyond the initial handshake. So meaning A "connection established" log entry typically indicates that a TCP or UDP handshake occurred. This doesn't necessarily mean a user authenticated or gained access to sensitive resources—it might simply mean that a connection attempt was technically successful. False positives can occur in systems that have broad detection rules or rely on incomplete data to flag activities. For example: IDS/IPS or firewall logs might show traffic that matches suspicious patterns but isn't actually malicious. An endpoint or system might flag a benign but unusual behavior as rogue.

TEAM-ind

I had the same experience. I had country mismatch on two new APs. I looked at the documentation on how to resolve, and before taking any action I opened a case to verify what, if anything needed to be done. This was going into a holiday weekend and before I could have a discussion with support, the issue resolved itself without taking any action.

BlakeRichardson

If you use a print server your clients communicate with the print server and not the printers directly. The print server passes any jobs onto the appropriate printer, this is a much more secure option and like @Brash this is what I use.

Kyote

Sorry to revive this thread, but I'm wondering if anyone was able to successfully deploy this through jamf? I have it working with our Windows device (through Intune) currently.

PhilipDAth

Try checking the upstream firewall to see if anything is reported as being blocked.

RaphaelL

This is one of the lowest priority case between all our active cases (20-30). They will get there , but geting concrete answers has been a hard task lately.

jimmyt234

I have always found the packet capture a bit flakey, sometimes just not showing any packets at all and then you refresh/come back 5 minutes later and it works!

Carole

Accepted Solution.

BlakeRichardson

If you can acquire the correct hardware and have the time and patience to work this out yourself it would be a nice challenge. If you don't have the time I would suggest consulting a professional preferably someone that has offices in both locations.

Inderdeep

congratulations all Top shots .. we done @PaulF

BlakeRichardson

Thanks everyone, using VLANs instead of subnet CIDR did the trick after waiting 20 odd mins. L3 interfaces are setup on the MX and I was pinging devices on the subnets not the L3 interfaces.

CarolineS

@CloudStrife we decided to leave as-is (orange) since it seems that folks have gotten used to it.

SahandC

The Umbrella > Network Tunnels page should only be referenced for IPsec connectivity today. The Secure Connect-[DC location] tunnels you see on the page are not indicative of any AutoVPN tunnels. For AutoVPN tunnel status, please leverage the Meraki dashboard pages: Organization > VPN Status (select network) > Security & SD-WAN > VPN Status We're planning on consolidating both configuration and visibility of Meraki SD-WAN, Catalyst SD-WAN & IPsec implementations into the Meraki dashboard relatively soon. Please reach out to your Cisco reps if you'd like more information.

Frank-NL

Hi I totally understand, and I appreciate these SVG very much, they are great and I have been using them in Visio (just kind of convert them manually from images). Keep up the good work 🙏 Kind regards, Frank

Atkguru

Oh, Just found it. tried to check site-to-site vpn settings and couldn't find it but it was so low at the bottom of the page that I didn't scroll enough. This makes it much easier. 👍

double_virgule

We set up a webhook into Teams to notify of the VPN tunnel going down and immediately had to shut it off as we were getting constantly pinged. I'm glad they're on top of it enough that they CAN show us the second-by-second up and down, but being able to tune that up and say "only notify if down for x number of seconds" would be VERY helpful.

NotKnown

i already put them there. that why i am a little confused why it doesnt work. For now i will it like this, and will try some things this evening so i do bother the users atm. Still, why isnt there any logging or something in the security center then.

Brash

If you've tried factory resetting the MX (link for reference below) and still cannot access the local device page via LAN ports, log a case with support. Resetting Cisco Meraki Devices to Factory Defaults - Cisco Meraki Documentation

ww

I dont see it in the documentation (anymore?)

About Brash

Brash

Community Record

Badges