Meraki

JamesHammy

Gah. Even with SWG agent disabled I'm now seeing strange behaviour. If I browse straight to the excluded site, the traffic goes via SecureConnect. No matter how many times I refresh, or how long I leave it, it's always egresses via SecureConnect. If I then ping the site (or tracert, which also pings) I can see the traffic egressing the WAN interface and the website then updates and shows the WAN IP address. It's almost as if some traffic, other than HTTP/HTTPS, needs to pass through before the exclusion kicks in. If I then flush my DNS cache, the traffic reverts back to egressing the SecureConnect IP, until I ping the site. Then it's back to the local WAN IP.

PhilipDAth · ‎Dec 17 2025

You have to delete the VMX, change the config in the Meraki Dashboard, and re-deploy the VMX.

jOMeraki2 · ‎Dec 13 2025

what is VPN full-tunnel exclusion now includes source-based and NBAR application-based exclusion definitions.

Nits4stockland · ‎Oct 29 2025

Following the thread..

jimg3 · ‎Oct 10 2025

In routed mode 19.x - vmx-LAN and vmx-WAN should be separate subnets under your workload vnet. then in your host subnet under that vnet you can then change routetable to make the default 0.0.0.0/0 to point to the vmx-LAN IP. just make sure that you have the proper meraki "addressing & VLANs" settings are applied in the meraki portal. LAN config correctly set to your azure provided vlan interface IP static routes set to the workload vnet subnets (where the virtual machines are) with the next hop IP as the azure subnet route IP (not the vmx subnet LAN ip) referring to this section: When configuring your vMX appliance within an Azure subnet, it's crucial to understand Azure's IP address reservation scheme. Azure reserves the first four IP addresses in each subnet for essential network functions. For example, in the 192.168.1.0/24 subnet: 192.168.1.0: Network address 192.168.1.1: Azure default gateway 192.168.1.2: Azure DNS 192.168.1.3: Azure DNS

Volodymyr · ‎Aug 9 2025

So why then organize a contest and write that your closet is bursting with gifts and everyone who leaves a comment will receive them. But how is it really? Half of them received them? How many did not receive them? I'm waiting 3 weeks instead of 3 days to read that you didn't calculate.?((

PhilipDAth · ‎Jun 2 2025

You don't really need a VMX anymore with SecureConnect (if you are only using it as an AutoVPN hub). You can build a VPN directly between Umbrella and an Amazon AWS VPN Gateway. https://docs.umbrella.com/umbrella-user-guide/docs/cisco-umbrella-data-centers Otherwise, there is nothing special to it. Just connect it like any other hub. https://documentation.meraki.com/CiscoPlusSecureConnect/Cisco__Secure_Connect_Now-_Sites

Mloraditch · ‎Jun 2 2025

TIL! Thanks.

alemabrahao · ‎May 16 2025

Hi, You can deploy an Azure Function App or Logic App to a dedicated App Service Plan with VNET integration, and then route outbound traffic through an Azure NAT Gateway or Azure Firewall with a static public IP by whitelisting this static IP in your Meraki dashboard. This configuration ensures that all API calls to Meraki originate from a fixed, known IP. Here is a discussion that might be of interest to you. Need Cisco Meraki firewall logs on sentinel - Microsoft Q&A

GiacomoS · ‎Apr 30 2025

Hey @JanJonsson , can you send me a direct message with the case number? I'll have a look 🙂 Giac

BlakeRichardson · ‎Jan 12 2025

Well done everyone, a great way to finish 2024!

Abechara · ‎Dec 19 2024

thank you,

JFurlong · ‎Jul 30 2024

Unfortunately, unless things change at Meraki, I think you're going to be in the same position I was -- Meraki will insist that you have to renew your entire dashboard *including* the 10 CA-90 licenses that still have a year's worth of value on them. Fingers crossed that they've fixed this before your renewal in 2 years! (Honestly, I don't know how this hasn't become a bigger issue if everyone using CA runs into this out of sync licensing renewal issue)

LeAnts · ‎May 23 2024

Thanks Shaun. yeah did the ICMP in the end.. very limited on the meraki unfortunately. Also trying to have meraki send alerts to our soar automation using playbooks to ingest tickets into our backend ticketing system.. but unable to separate security events from the WAN appliance with normal switch/wireless events on meraki side, which means more playbook customization 😞

Jonas016 · ‎May 18 2024

Thanks for all the answers. But it sounds like you all have the same answer as I myself suspected. well if we are lucky maybe there will be a beta soon. @BrickBR I agree with you and what you say is kind of what I'm after.

MariaP8 · ‎May 17 2024

The error indicates the source IP you are running the call from is blocked on the destination organization. Unfortunately the API call is terminated by 403 from that organization preventing the other organizations from populating. The IP restriction needs to be lifted. However, if it is intermittent as you suggested then more investigation needs to be done to determine while IP the API call is coming from when it succeeds and fails.

Meraki

Community

About ShaunB93

ShaunB93

Community Record

Badges

Re: Internal DNS server for proxy to upstream DNS

Re: Proof of Concept: Routed Mode vMX in Azure on MX 19.1 with Advanced Sec...

Re: MX 26.1.1 - First beta

Re: Access Manager Configuration EAP-TLS

Re: Configuring the Meraki vMX in Azure for Routed Mode with LAN/WAN Separa...

Re: [CONTEST ENDED] It’s the Great Swag Giveaway!

Re: Meraki Secure Connect + Cloud WAN

Re: Azure vMX VNETs for Internet and LAN Port - Segmentation

Re: IP Restriction for Azure Cloud on Meraki MX75, MX105

Re: [Service Notice] Unexpected MX reboots

Re: Recognizing the December 2024 Members of the Month

Re: vMX resources group creation error

Re: Cloud Archive License Renewals Confusion - Co-Term or Per-Device?

Re: Monitoring MX from Solarwind

Re: VMX on VMware/HyperV ?

Re: Random 403s on GetOrganizations from IP Restricted Org