- About Pugmiester
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Pugmiester
Getting noticed
Member since May 9, 2018
Thursday
Community Record
57
Posts
13
Kudos
3
Solutions
Badges
12-11-2019
02:08 AM
We're up and running but not without having to tear down the initial installation and start from scratch. That was rather convoluted as well but eventually I managed to unpick it and remove all of the newly created resource groups and the vMX. I had to create a new dedicated subnet in our primary resource group and VNET to be able to attach the vMX LAN interface to which then made it available on the list when building the new vMX. The other subnet I was trying to connect to initially, has been configured as the Azure gateway subnet which seems to exclude it from the selection list. Yeah, I don't know anywhere near enough about Azure to fully understand how all the widgets hang together. It seems overly complicated coming from a physical hardware world but I think it makes enough sense to me now to be able to reproduce this in production when we need to.
... View more
12-05-2019
02:22 AM
I've just run up against the same issue deploying a vMX. The process never made sense beforehand (I'm in no way any sort of Azure expert) so I just presumed it was my physical world thinking but I don't recall having any options at all to select a subnet/vnet outside the vMX's new resource group. In theory, peering the VNET's should be trivial but I'm hitting a permissions error that we can't make sense of so I've bounced it back to our Meraki sales contact to see if they can help unravel what's happening.
... View more
11-18-2019
06:54 AM
1 Kudo
OK, That's really strange. The internet connection troubleshooting sent me down a particular path and I remembered that many years ago, the subnet we had from our ISP was split into two halves with one half being NAT'd on our old Checkpoint firewall, and the second half of the subnet routed through the Checkpoint. No idea how, I never saw the config. However, switching to 3 IP addresses in the original lower half of the range has the MX's happy again. It's bizarre as there are services using the upper half without issues.. But anyway, we are up and running.
... View more
11-18-2019
06:29 AM
Thanks for confirming. That's what I was hoping. I'll run through the connection check docs to confirm what I can see. We do have some 1:1 NAT on the HA pair for some locally hosted services but I've confirmed there are no overlapping addresses. The 2 IP's (will be a third for HA once I get basic comms working) are free of any other configuration and I don't think we have ever used them.
... View more
11-18-2019
03:40 AM
Hi all, Before I go completely bonkers, can I run a question by you all to see if I'm in fact trying something impossible. We have an existing MX HA setup on site that's happily running and providing SD-WAN links to an expanding number of our offices but we are looking to move some third party IPSec VPN links over to our Meraki infrastructure as well. To help separate out the traffic from our SD-WAN (We don't need everyone to know about the links, they are for single local services), we're following this article - https://www.willette.works/merging-meraki-vpns/. It makes sense and I've most of the infrastructure up and running with the exception of the primary WAN link. I'm trying to use 3 additional IP's from our available public subnet but the IPSec MX's seem to not want to use them and keep falling back to WAN2. They are part of the same public subnet assigned to interfaces on the HA MX's and I'm half thinking this is the cause. I'm not seeing any errors but they just don't seem to want to use the primary WAN connection. There's a mention in the article about needing a separate organisation for the VPN link to avoid any VPN subnet overlaps but the impression I got from this was avoiding overlaps between third party subnet and a subnet on the SD-WAN but it's not clear. Can anyone confirm if this should be possible or am I going to have to look at a separate organisation?
... View more
11-11-2019
03:46 AM
Thanks, I knew there would be a way to do it but I've not had enough coffee yet this morning 🙂
... View more
11-11-2019
01:40 AM
Hi all, A question popped up in our team meeting this morning that I hadn't considered. If a website is dropped into a category by Brightcloud that a local MX happens to block (Parked Domains for example), is there a safe way to allow a management IP address to bypass the URL category list and get unrestricted internet access to be able to confirm the type of site? I'm assuming it's not obvious from the URL or users description. We could of course connect out of band to check it or simply whitelist the URL on the MX but that releases it for all users so I'm kinda hoping there may be a more elegant and controlled option we could consider. Thanks, Martin
... View more
10-23-2019
12:44 AM
1 Kudo
That's my name in the bag for some swag.
... View more
09-09-2019
01:38 AM
Hi @PhilipDAth, I'll ask our server team to double check but there was nothing that jumped out last time. We do have the Symantec AV client installed on all of the DC's, all running the same policy but some happily respond and others don't, but not consistently. MX1 might get a response from DC1 but MX2 doesn't. I'm not 100% certain how to confirm the certificates but is one MX works and another doesn't, I would have thought the certificate was OK. I'm just finding it difficult to find a pattern to be able to poke something with a stick.
... View more
09-09-2019
01:29 AM
Hi @Happiman, I don't see any WMI errors. The server connection seems to be happy when I plug in the username/password details and we get the green check mark but then the LDAP refresh starts, shows the spinning circle then no results.
... View more
09-06-2019
03:27 AM
Hi all, We are trying to enable the AD connector on a number of MX appliances spread across our European offices but failing in what seems to be a completely random fashion. We've followed the setup process outlined in the following article on each of the DC's we are trying to work with and confirm all of the relevant settings are in place. https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Directory_with_MX_Security_Appliances When we add the AD credentials (We're using the same service account with just the relevant permissions), we can get the status to report back as OK but getting the LDAP group list to populate is where we are falling over. It seems to be completely random whether it works or not. We appreciate that we need to point to the sites local DC to capture the login details but even that's not consistent. For example, our office in The Netherlands has been failing talking to its local DC but worked (for the first time today) when pointed at one in the UK. On the same UK site, their local MX refuses to talk to the same DC that is happily working for MX in The Netherlands. This seemingly random pattern repeats itself across half a dozen different sites and I cannot find any one link between them. Does anyone have a clue what could be causing this?
... View more
08-01-2019
12:39 AM
1 Kudo
That's the conclusion I was getting to as well. The good news is, we don't have to rip out the Checkpoint to get the MX's live so for a little extra breathing space I can leave the setup as it is initially so we can work out a solution with a little more breathing time.
... View more
07-31-2019
05:16 AM
Hi all, I'm working through the process of migrating one of our offices from a Checkpoint firewall to an MX but I've run up against an issue and I can't think of a sensible way around it. The site has a DMZ behind the Checkpoint firewall with a server that makes connections both to the internet (easy to reproduce) but also to a single server in a data centre across our global WAN. That connection has a policy on the Checkpoint that uses NAT so the connection looks to the data centre server as though it's the firewall making the request and as the local office LAN is a subnet the data centre knows about, it just routes the traffic back. The DMZ server in question is a third party black box so we are hoping to avoid having to connect it directly to the LAN in the office as we cannot be certain how up to date it is. Is there any way I can reproduce that DMZ <> NAT <> LAN functionality with an MX or do I need to starting thinking about having routes for the DMZ subnet advertised across the WAN?
... View more
07-11-2019
02:14 AM
2 Kudos
Congratulations to all. There's certainly a few familiar names on the list that have been really helpful in getting things fixed and helping me understand the transition to Meraki from other technologies.
... View more
06-17-2019
03:12 AM
Hi @PhilipDAth, the services are all NAT on the current firewall so we would be reproducing the same setup but it's just not very clear how you can create a 1:1 NAT for an IP address that's not in the WAN subnet. The MX has no idea what the gateway would be for that second subnet without some way to configure it on an interface somewhere.
... View more
06-17-2019
01:58 AM
Hi all, As we're deploying out MX's across our EU sites we have run up against a little issue with a site that has 4 different small subnets supplied from their ISP, one of the joys of the IPv4 exhaustion and a lot of locally hosted services. While we will likely end up moving the services across to the first 2 subnets, there's a lot of third party involvement which will inevitably lead to service outages, as they do when you don't have visibiity of both sides of a connection. Obviously we could assign a subnet to each WAN interface (We're running an MX-250) but is there any way we could make use of the additional subnets?
... View more
06-10-2019
12:44 AM
Thanks @PhilipDAth, I spotted the VLAN disabled but unfortunately suppers us right now as all of the larger sites have VLAN's enabled we'd need to router around. I was looking at OSPF because I have a little experience with it and only a passing understanding of BGP.
... View more
06-07-2019
05:29 AM
Hi @PhilipDAth, I'm just butting up against the OSPF restrictions myself. It would be a big help if OSPF was available on an MX in NAT mode to publish the Auto VPN routes to a local LAN gateway for the larger sites we have where the MX will not immediately replace the default router. Looks like a little manual work until we get things organised.
... View more
06-03-2019
04:53 AM
Thanks @PhilipDAth, not a bad idea at all, especially if there's not a big difference in cost to begin with.
... View more
06-03-2019
04:52 AM
Thanks @ali_abbass85, I really like the simple diagram idea. One of the many challenges we have is as part of our company reorganisation, we're now becoming centrally responsible for all of these remote sites without having any idea what's on the site yet.
... View more
06-03-2019
04:47 AM
Hi @ SoCalRacer t hat's the approach we've been considering as the best fit so far. It does involve an amount of cable swapping by the local guys but I think with a bit of Friday afternoon brainstorming we've found a process that should work.
... View more
05-31-2019
06:28 AM
Hi folks. We're starting our roll-out of around 25 sites across Europe who will all be receiving a HA pair of MX's (64, 100, 250 depending on site size). The hardware is being shipped directly to site by Meraki and we have a varying level of IT support on each site, from dedicated IT staff through to the guy who fills the coffee machine. We're configuring all the sites ready to support dual internet feeds for future expansion (a task you need the local status page for on an MX64/MX100) and then configuring them for HA. It's a relatively simple task if all the hardware's sat on your desk but a little trickier to achieve on a remote site. A quick Google this afternoon returns a selection of links but none that really walk through the process in enough detail to make it easy to explain to someone remote. Does anyone have a handy guide that we could use to help simplify the process and make it easy to follow?
... View more
05-29-2019
03:16 AM
I'm looking forward to a network that does a lot more to manage the client load and connections between the access points to better manage hotspots around the building.
... View more
05-28-2019
03:08 AM
It appears that Meraki has decided that I now speak Dutch so the latest email update from them has picked Dutch accordingly. As far as I can tell on the dashboard I'm set for English so I have no idea where this has been changed. Any clues folks?
... View more
04-17-2019
01:24 AM
Hi all. So, I logged a ticket with Meraki support and the upshot seems to be that the current mix of Meraki and Catalyst devices is preventing the network from being discovered correctly. I can understand that but I don't get why replacing Catalyst with Meraki hardware has made this particular area less visible to the topology view. Most odd. However, there's mention of LLDP which we don't currently run on the Catalyst devices so I think I'm going to enable it and see if that helps get a better picture of what's connected to what and I'll report back.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 716 | 11-13-2018 07:35 AM | |
| 1927 | 10-31-2018 07:05 AM | |
| 784 | 07-06-2018 05:23 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 3496 | |
| 2 | 3165 | |
| 1 | 146 | |
| 1 | 1902 | |
| 1 | 259 |
