About BarrettLocus

BarrettLocus · ‎09-21-2022

My account has the ability to create it in the Dashboard. I am generating the API access key by going to My Profile > API Access and then generating it there. Are there differences in what the API can do versus my logged in users? Better question are these permission levels documented somewhere for us to reference?

BarrettLocus · ‎09-21-2022

I'm trying to generate join tokens automatically. I'm following the example found in Meraki SDK/API Link However I am getting: meraki.exceptions.APIError: appliance, createDeviceApplianceVmxAuthenticationToken - 404 Not Found, please wait a minute if the key or org was just newly created. Neither the device/serial nor org are newly created. Can I assume this is a permissions issue? If so, what permissions does my API user need?

BarrettLocus · ‎04-25-2022

If the AZ is down - no big deal, once the AZ comes back up again you can just start the VMX again and it will use its existing certificate store on its hard drive. My thought was if the AZ/Region is down for an extended period and we want to fail-over and instance without involving a human AND without having cold standby instances e.g some kind of floating instance/license situation. In any-case this thread answered my original questions. Thank you.

BarrettLocus · ‎04-22-2022

Thank you for your follow up. I appreciate. I'd like to get a bit more clarity, just so I fully understand. The VMX regularly registers the current public IP address it has in the VPN registry. So the public IP can change and it is not a big deal. When spokes connect they look up this IP address in the VPN registry. Is there some kind of material that the VMX receives that allows it to do this? Meaning once the instance has registered and the token has expired, what allows the VMX to update it's IP. I think I was assuming that identity was established in the following way VMX -> identified by token. VMX registers -> identified by (ip, port) But if the IP can change that must not be it? As part of the keep-alive/heartbeat messages, is some sort of short-lived token being maintained? For the case where the instance is lost (say the AZ is down), is it required to re-register with a token then? I'm assuming the VMX100 appliance doesn't allow for backing up Authentication material directly. Is there any known issue with using EC2 snapshots for this?

BarrettLocus · ‎04-21-2022

Couple questions all related. I have read this - https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_Auto_VPN_Tunneling_between_Cisco_Meraki_Peers I'm trying to figure out if I have options besides using Elastic IP (Which are limited in quota) and I realized I have a few holes in my mental model of the way Auto-VPN works especially with the cloud. 1. How does Auto-VPN handle the change of WAN IP of a VMX? I haven't found good documentation concerning this. Do we have to re-enroll the instance with a new time limited token if the WAN IP changes ? 2. What material is placed on the instance after the time-limited enrollment token expires? Is the identity of an instance established simply use the (WAN IP, SOURCE PORT) that was used to enroll? 3. If my instance dies, but another one is launched, how will it recover the registration/connection.Assuming EIP usage, how would it know what source port to use? In other words, if I attach another instance to the same EIP used to register, then what happens? 4. On AWS, is there any other option besides using Elastic IP's per VMX instance? I understand how the whole punching works, but the issue is the dynamic source port used. If we could select the source port then I believe I could put my instances behind a load-balancer and then target instances based off the port. That doesn't seem like an option.

BarrettLocus

Community Record

Badges

Re: Generating Join Tokens with the API

Generating Join Tokens with the API

Re: Auto-VPN/IP changes/Registration (on AWS)

Re: Auto-VPN/IP changes/Registration (on AWS)

Auto-VPN/IP changes/Registration (on AWS)