There is a script published by Meraki that you can use that will basically keep pushing the scheduled upgrade forward a week with the net effect of it never happening.    https://github.com/meraki/automation-scripts  the folder/script is firmware_lock ... View more

have you deployed any MX as HUB in routed mode with DC-DC failover ? where both DC advertise similar routes. ... View more

@rwiesmann Correct, there was no learning hub search (or filtering) before. Courses could be found via Google (or other web search) but not via community search. With the new version, there is a brand-new search on the learning home page and also courses appear in community search. Hopefully helpful to everyone!! ... View more

so here is the real information according to cisco support. static will always win. so if you have a 10.0.0.0/8 to core and then you get autovpns of 10.10.10.0/24 x.x.20.0/24, that 10 static will always win. they have something in the back that allows them to change the AD of static it basically gives priority to autovpn routes over statics. thanks.   Directly Connected Client VPN Static Routes Auto VPN Routes Non-Meraki VPN Peers BGP learned Routes NAT* ... View more

😲 I must have missed those! They don't sound like kind bugs! The first one is the kind of thing you pull your hair out trying to diagnose.   We've just moved to 17.2.1.1 at some pilot locations so we'll see how that goes... Was about to upgrade a critical site to 17.2.1.1 to investigate a separate multicast issue but hard nope on that now! I'll take the wait and see approach to this release. ... View more

One thing to note is that most vendors are phasing out L2TP VPN. AnyConnect is a far better and more secure experience.   Additionally, Android no longer natively supports L2TP VPN since Android version 12. ... View more

As said above, AVB is not supported on Meraki managed catalyst switches as the feature is not available natively in the Meraki dashboard.   My understanding is that it is supported on Catalyst switches in Meraki monitoring mode, or when standalone running IOS-XE. ... View more

@vagrant I'd love to see a picture of your decorated backpack! ... View more

After doing some more research on the issue I would like to see if the steps I have put together will resolve the issue.  It appears as though the problem is my clients are getting a Schema 1 version of a certificate (Windows 2003/XP compatible) instead of at least Schema 3 versions or higher with of a cert template.   Here is what I have setup ready to deploy     Copy the certificate template that I am currently using to a new template "MyComputersV4" Change the compatibility to Server 2016 for Cert Authority Change the compatibility to Server 2016/ Windows 10 for Cert Recipient On Crypto tab, change Provider Category from Legacy to Key Storage Provider Algorithm set to RSA Min Key Size to 2048 Select Microsoft Key Storage Provider from the Providers list Set Has to SHA256 Temporarly unchecked Auto Enroll for Domain Computers on security tab  Added the new "MyComputersV4" to the Certificate template list so it can be deployed later.  Left my old "MyComputers" template as is for now until I cut over.   When ready to deploy I can adjust the security to Enable the Enroll and Auto Enroll settings on the new template and disable them on the old tempates.  After force a script down to the computers to run: gpupdate /force certutil -pulse   I think this should get the clients up to date, but I should I also be doing something similar for the Domain Controller template?  I see that this is still Schema version 1.  Do the DCs templates need to be updated?               ... View more

The documentation states that its doable with a MR Enterprise licence...  Microsoft Entra ID Integration with Splash Page - Cisco Meraki Documentation ... View more

Try a non-passive twinnax cable if you've got one. My experience of passive twinnax is that they're more prone to CRC's. Other than that, try fiber which is generally more reliable - especially cross vendor. ... View more

As said above, you have essentially two options:  - Create a separate SSID for your Playstations that has no splash page  - Manually configure the client to bypass the splash page     ... View more

They said the issue is only seen on firmware 31.1.7, but we've see in on all previous firmwares.    They're asking if we've seen the issue on 31.1.7.1. We're testing that currently. ... View more

Just following up to see if you’ve had any success with this. I'm currently stuck at the same issue you were experiencing. ... View more

You can't block inbound connection attempts from specific countries to services hosted on the MX. As @cmr mentioned, you would need to sit the MX behind another device that can perform this function.   ... View more

Summarizing what's been said above:  - Applying L7 geo-blocking firewall rules should block connections to websites of those countries.  - If you have any existing connections through the MX, you may need to wait for them to timeout (~5 minutes from memory) before they will be blocked. New connections should be blocked as soon as the MX receives the updated config from the dashboard (~30 seconds).  - L7 geo-blocking firewall rules will not block inbound connections into DNAT rules. ... View more

As stated above, the client will attempt to reach the RADIUS server 3 times, each with a 2 second timeout. If there is no reply to these 3 attempts (6 seconds) it will failover to the next server.   If the server replies however (as in your case), it is counted as online and therefore no failover will occur. ... View more

The Support will replace me the MX with a RMA , the MX is still on the old firmware and try again and again to apply the new one. It's seams to be linked with a hardware issue.    Best regards for your helps. Brice ... View more

UPDATE: this contest has ended! Stay tuned for the final points round up and the announcement of our many winners! ... View more

Hello folks, Thank you @TK-ECH for sharing. Just a couple of clarifications on my side:   If possible, please make sure you have someone physically present with the impacted device and call into Support. There's a few physical observations and tests that need to be performed to ensure the issue being encountered is the one we are addressing with the interim firmware and not a different one.  The firmware mentioned above is an interim patch. We have done extensive testing, but it is not marked as a stable or release candidate firmware. Make sure you accommodate enough time in a maintenance window to test your environment if we agree to proceed with the upgrade route.    Please, keep working with our Support team to identify the best path forward based on your circumstances. 🙏   Thank you so much everyone! Giac ... View more

thank you for sharing this Frank! hopefully some of the people struggling to utilize these in Visio get a chance to see this message ... View more

I'm hoping this will open the door to finally having simple features like LACP and STP on LAN ports?;p Dunno if this will also impact the firewalling possibilities when they do decide to so routed mode. ... View more

Note: To access these Cisco U. Learning Paths (CNIOS & DCAIAA ), please log in or create a free account ... View more

Yes, in the new Cisco Meraki dashboard, you can force Meraki MS switches (like MS120, MS210, MS425, etc.) to use a specific firmware version, including older versions, using the firmware downgrade override feature—but only if you have access rights and the correct organization permissions. For more details   I suggest you to check the Meraki documentation..! ... View more

Congratulations everyone! Some really great posts this month!   Keep it up! 👍 ... View more