Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join nowAbout rabusiak
Community Record
40
Posts
8
Kudos
4
Solutions
Badges
Dec 6 2024
3:47 AM
Can someone explain why I'm seeing this weird ip addresses when I check how traffic hops from client connected with VPN to my environment? Connection is terminated on vMX in Azure. Also, I use Radius on AD for authentication and same IPs are also shown as NAS ipv4 addresses when user initiates connection: 6.1.54.50 6.182.213.103 Both from Fort Huachuca, Arizona... USAISC Headquarters... 😮
... View more
Labels:
- Labels:
-
Azure
-
Client VPN
Dec 6 2024
12:04 AM
3 Kudos
That makes sense! Thank you for clarification 🙂
... View more
Dec 5 2024
12:44 AM
Can anyone confirm when will be the next scheduled Meraki dashboard maintenance? 😄 I saw notification today, I was pretty sure it was scheduled for today, 17:00-19:00 UTC... but my colleague claims it was scheduled for December 9th... we both closed notification and cannot find information anywhere... BTW there should be post somewhere in News & Announcements about it, right? 😉
... View more
Dec 27 2023
2:03 AM
I run the packet capture but probably my lack of expertise is holding me back from seeing something suspicious 😉 At random intervals there are packets like those 2 marked in red below. The only difference is that they have "topology change flag up" but bridge and anything else stays the same...
... View more
Dec 22 2023
2:16 AM
I did opt-in for that... I will opt-out to verify 😉 Still it's just alerts that might by buggy... if I check those uplink ports on switch pages they also reports stp changes in last 2h: Now I see that only one stack doesn't have any issues at all, the one which is connected with core-stack directly with fibers (not through any fiber patch panel). All the rest reports STP changes in last 2 hours.
... View more
Dec 19 2023
1:24 AM
Hi Guys, Need some advice on figuring out why I see "Detecting a high rate of STP topology changes" alerts on random switches (on their uplink ports) at random times. I migrated from mixed switch environment (Catalyst/HP/Aruba) to pure MS setup. Attaching topology. Core stack is the root bridge with priority 8192, default priority is 32768 and one switch has priority 36864. Core stack is 2x MS390-24 with 10G modules. Fibers goes to access switches, one switch doesn't have direct connection with core stack (the one with lowest priority on far right side). Setup was done some time ago and all was fine, then I started to get those random alerts. Don't recall if it was after some firmware update or a reboot. Maybe after MS390 swapped from MS firmware to CS... I'm not sure. One core stack switch is in alerting mode because of a firmware bug - it thinks 10G ports 1 and 2 are connected to copper ports 1 and 2 and reports vlan mismatch. This was confirmed by Meraki support. According to them it doesn't have impact on network and is already fixed in one of the beta firmware versions. Should I change root bridge priority to 0? Should I try to enable BPDU Guard on all access ports network wide? Maybe someone is connecting a switch somewhere... Other ideas?
... View more
Labels:
- Labels:
-
Layer 2
Nov 1 2023
5:52 AM
I do use RADIUS for authentication (even with MFA plugin) on my Meraki with my Client VPN setup. It works. Problem is that there is no bulletproof setup for static ip assignment even if you set things up like in your link. RADIUS may reply with attribute containing ip address but because DHCP service is not running on Windows Server (AD joined) with DHCP role installed (its not even real DHCP on Meraki) there is no real "reservation" done and user will not always get desired ip address. If desired ip address is already taken by someone else during the dial-in process... user will not be able to connect at all 😕
... View more
Nov 1 2023
5:30 AM
I also think so but it sounds like he was able to set it with regular vpn and the problem was only with doing the same on anyconnect 😉
... View more
Nov 1 2023
5:24 AM
@Royce wrote: 1. We were able to set a static using the regular client VPN setup, why is this not possible for the AnyConnect method? @Royce You were able to setup static ip addresses for vpn clients using standard vpn client functionality on meraki? How? 🙂
... View more
Nov 1 2023
12:50 AM
Hi Guys! I have this interesting project of merging 2 dashboards/organization. The one managed by me will become the master one. I know more or less how to migrate devices/network/licenses between organizations but I have no idea how to approach to licensing model change. Currently both organizations are in co-term models. My org is quite small, it contains locations from one country and there is only one "budget". I have like one co-term license key for 8*MS, one key for 8*MX for example. It's fairly simple to extend licenses and figure out who is paying and for what. Organization that I'm going "absorb" is much bigger and more complex. They have like 60 devices across many countries, many owners, many budgets, many administrators and huuuuge amount of license keys where half of them are already expired. They have constant struggle to keep license status green. Nobody knows which license keys were bought be who. I guess some networks only operates because of co-term license model and countries that bought 6 or 8 year licenses keep the rest above the surface. I would like to clear this up during the merge and also avoid situation where entire org is down because someone forgets to extend their licenses. I was thinking about per-device licensing but this has some cons like for example entire org has to run same licenses for MX and we have mix of Enterprise and Advanced Security. I'm looking more towards subscription model and I would like to have separate subscription per each network. For example one network in Uganda should have one subscription containing 2*MX68, MS225 and 3*MR36 and another network there just one MX68. Did anyone have experience with changing co-term to subscription model? Is there a way to convert/split current co-term licenses keys? Should I first merge orgs and then change license model or other way around? For example, I have co-term license key with 8 MS switches and other license key with 8 MXes. I will need to split them into 8 separate subscription licenses, each with one MX and one MS and bind them to networks, right? Is this even possible? I asked Meraki support but their initial answer is quite disappointing - they said to me something completely different than can be found in official docs 😕
... View more
Thank you all for suggestions. I went for the 10th time through entire configuration and all was set correctly... except that I put test user in a wrong AD group 😛 This is why it's requests didn't match any of configured network policies 😉
... View more
Funny thing - I have also other Network policy which has NAS Port Type set to Wireless and is used for WIFI AD auth. If I remove NAS Port Type from it I have a match but then authentication method is not supported (unencrypted) and have access denied also:
... View more
Aug 23 2023
5:58 AM
Hi Guys, Have any of you successfully setup MAC authentication bypass policy with NPS? I'm following this document: Configuring Microsoft NPS for MAC-Based RADIUS - MS Switches - Cisco Meraki All is set according to documentation but port with this policy is not forwarding traffic. NPS logs are catchings my device request but it says: access denied because no matching network policy was found
... View more
Labels:
- Labels:
-
ACLs
May 23 2023
12:09 AM
After you enable split tunneling, you'll need routes to your local subnets. Try something like this in powershell: Add-VpnConnectionRoute -ConnectionName "your-vpn-connection-name" -DestinationPrefix "whatever-local-subnet-you-use"
... View more
May 7 2023
12:53 PM
I have problems on Desktop PC on both wifi and eth card (Intel Wi-Fi 6E AX210 160MHz and Realtek Gaming 2.5GbE Family Controller). No issues on Lenovo laptop with some pretty old 2,4 only intel card.
... View more
May 7 2023
6:24 AM
Just jumped to a new PC with win 11 and started to have issues with VPN. Glad to find this thread and little trick with Wireshark 🙂 Weird that I have fully patched win11 PC where I have this issue and fully patched win11 laptop whereall is fine...
... View more
Oct 14 2022
3:27 AM
2 Kudos
Small discovery about this setup. I'm slowly putting this VPN in "production mode" and I started to receive feedback from users that they cannot connect because they have not enough time to perform 2FA (push notification or ms call). Radius, by default has 60seconds timeout but Meraki only 3 😉 In some newer MX firmwares you can modify this yourself at the bottom of radius configuration page, in older you need to ask the support. After I increased it also to 60seconds on Meraki side I get some improvement but still, users had only around 20seconds... I spend couple of hours with Meraki and Microsoft supports on this case without any luck and then I found this help article on DUO site! Hope it will save somebody a lot of time with troubleshooting - the problem was on client device 🙂 Windows VPN client If you are using a Windows VPN client and you continue to experience issues after you have increased the RADIUS timeout and the retries, you may need to increase the value of the MaxConfigure Registry key on the client machine to 60: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\MaxConfigure=60 How do I adjust the RADIUS timeout on Meraki? (duo.com)
... View more
Oct 3 2022
3:05 AM
@rabusiak wrote: Thanks for the tips 🙂 @Brash wrote: For example MX L3 firewall rules don't apply to traffic transiting a site-to-site VPN. You would need site-to-site VPN firewall rules for this traffic. So, if I create rule "deny traffic from vlan1 to "any" it will not block the traffic to networks on the other end of auto vpn tunnel? Thats kind of violation of ANY terminology 😉 Need to test that 🙂 I created standard L3 firewall rule saying block all icmp traffic between 2 hosts behind different MX devices connected with AutoVPN tunnel and traffic was blocked 🙂
... View more
Sep 30 2022
7:03 AM
Thanks for the tips 🙂 @Brash wrote: For example MX L3 firewall rules don't apply to traffic transiting a site-to-site VPN. You would need site-to-site VPN firewall rules for this traffic. So, if I create rule "deny traffic from vlan1 to "any" it will not block the traffic to networks on the other end of auto vpn tunnel? Thats kind of violation of ANY terminology 😉 Need to test that 🙂 @Brash wrote: An "Allow all traffic going to internet" rule is basically "a deny traffic not going to the internet" rule - deny 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 I used this kind of rule on other firewalls, but it will not work on Meraki in a ruleset I think about to build (because Meraki cannot be set to drop by default?) 1. Deny "guest" to "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16" - blocking guests to internal stuff but leaving them access to internet 2. Allow something from "lan" to "srv" 3. Allow something from "mgmt" to "srv" 4. Allow anything from "admin" to "any" 5. Deny "any" to "any" - clearing rule. 6. Allow all (default rule) Nothing will reach last rule and all clients will be cut off from internet, right?
... View more
Sep 30 2022
5:47 AM
Yup, I've read the docs but there are no answers to my questions 😉 In HQ I have MXs and MSs, in branch offices only MX's. We do not use MRs as access points unfortunately.
... View more
Sep 30 2022
5:27 AM
I'm going to start setting up firewall rules on my Meraki firewalls and I would like to ask more experienced users what the best practices are and how should it be done properly 🙂 I have AutoVPN setup build with 2 hubs - HQ (mx105) & vMX in Azure (ClientVPN there), 5 branch offices aka spokes (5x mx67) + non meraki peer (other company). Should I setup firewall rules between networks of different peers on Security&SDWAN->Firewall or maybe on Security&SDWAN->Site-to-site VPN->Org. wide settings? What are prons&cons of setting them in first vs second place? Default rule at the bottom of firewall ruleset is allow any/any. I planned to put all my "custom allow" rules above and then create one deny any/any just above the default. I believe that setup will cut my clients from internet, right? How to create allow rule saying, "allow all outgoing traffic to internet"? 😉 I have company wifi which has radius auth - active directory accounts. It is separate network/vlan. I would like to somehow control also which devices can access this network. How can I achieve this? Should I create group policy, assign it to all known devices and have custom firewall set to allow internal and external traffic? If I then create regular rule saying block traffic from this network to any directions those devices with assigned group policy will use "their custom firewall only" and will be allowed? Those devices out of my group policy will be cut off from any network based on general firewall rule, right? I'm planning to implement bunch of test rules for couple of weeks, for example: allow any traffic from network A to network B with enabled logging. I parse the flows to syslog (graylog) and analyze what kind of traffic is flowing between network A&B to decide which should be allowed and base on those observations create granular allow rules, separate for tcp, udp and icmp and deny the rest. I need some help with understanding logs I'm getting that way, I know that generally pattern 0 means allowed, and pattern 1 means blocked/deny. When I see logs which hits my test rules, they look like this: pattern: allow (dst network-A/24) && (src network-B/24) What I'm not sure is the meaning of: pattern: 0 all pattern: allow all pattern: 1 all How to treat them? "Allow all" means it hits default allow rule? What just "all" means when it is allowed or blocked?
... View more
Sep 7 2022
6:39 AM
After some time, I managed to set this up. If someone needs help - reach me out for details 🙂
... View more
Sep 7 2022
6:37 AM
2 Kudos
If someone is looking for an answer here it is: not possible 😕 Had a session with support and this is not supported.
... View more
Aug 17 2022
7:28 AM
I need some help in figuring out how to configure routing like in title 🙂 Environment: I have vMX Medium (hub) deployed in Azure. VMX is connected with my MX105 (also hub) in HQ with AutoVPN. Other branch offices are also connected with AutoVPN (spokes). I have configured ClientVPN on vMX. We have important web application used around the world. It contains sensitive data. Depending on geolocation dns name can resolve to specific subnets A.A.A.A/24, B.B.B.B/24 or C.C.C.C/24 App is configured to allow connections only from HQ external ip range X.X.X.X/27. Users from branch offices and VPN clients should also have access to this application. I would like to route their traffic to app subnets over AutoVPN tunnel to MX in HQ and then to internet. In short, for specific subnets I would like MX in HQ to be default gateway for other auto vpn peers 🙂 How can this be achieved since on vMX I cannot create static routes? I don't want to route all traffic to HQ (configure vMX as spoke and set "IPv4 default route" to be HQ peer (hub). I tried to create vpn enabled static routes in HQ's MX pointing to one of local MX ips as a next hop but it doesn't work. Traffic is looping and doesn't reach the target. If as next hop I point other router in HQ (sophos) all is working.
... View more
Labels:
- Labels:
-
Auto VPN
-
Azure
-
Client VPN
Mar 4 2022
7:43 AM
My account had Dial-in set to Control access through NPS Network Policy by default, I changed it also to Allow but still no difference. I don't have any AD groups in request policies so it should allow all users. Anyway even with dial-in set to deny access I still should have rejected requests in radius server event logs but I have nothing there...
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 3171 | Aug 27 2023 11:46 PM | |
| 4160 | Sep 7 2022 6:39 AM | |
| 1434 | Sep 7 2022 6:37 AM | |
| 1998 | Mar 1 2022 12:28 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 3 | 544 | |
| 2 | 3960 | |
| 2 | 1434 |
© 2025 Cisco Systems, Inc.
