- About Pugmiester
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Pugmiester
Getting noticed
Member since May 9, 2018
a week ago
Community Record
68
Posts
17
Kudos
4
Solutions
Badges
a week ago
Hi all, We're almost at the end of our EU wide SD-WAN rollout (only around 30 sites but still...) and as I'm sure anyone who's ever done this will know, with Meraki "it just works" 🙂 We have a remaining office site that for current political reasons we can't deploy any Meraki hardware to site. We are looking at a simple third party VPN link (Probably using a locally sourced ASA) into a spare MX using the excellent reference article from Aaron Willette (https://www.willette.works/merging-meraki-vpns/) which we've already used to great success for an actual third party that needs access to an internal resource. I'm hoping to build a pair of 3rd party VPN links so we don't have a single point of failure but getting traffic flowing over the right VPN link seems like a challenge as each of the corporate LAN MX's would publish the same static route into the SD-WAN pointing to their local 3rd party MX. I have a vague recollection that it's possible to do some element of traffic steering using over the SD-WAN using the priority of the hub's that a spoke connects to but I don't think that's possible between hubs. Am I just overthinking the whole situation?
... View more
2 weeks ago
1 Kudo
I thought I would add one final update for anyone stumbling across this post in the future. There's a Meraki support document for the SD-WAN that clearly lists the ports needed for connections to both the dashboard and Auto-VPN peers. Somehow, all of my Googling never brought me to this page so I'm including the details plus the link below for future reference. Ports used to contact the VPN registry: Source UDP port range 32768-61000 Destination UDP port 9350 Ports used for IPsec tunneling: Source UDP port range 32768-61000 Destination UDP port range 32768-61000 https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN
... View more
3 weeks ago
Hi @PhilipDAth, thanks for the sanity check. I'm still confused how it's ever worked without the allowed inbound traffic but I'm working on a change plan for the AWS guys to open up the inbound firewall rules.
... View more
3 weeks ago
Hi all, We've had a vMX up and running in AWS since the middle of April but somewhere around the early hours of June 6th it dropped all of the SD-WAN links. It's not in PROD yet so we didn't pickup a monitoring alert. Anyway, we still have dashboard access and neither a vMX or AWS Instance restart has not shaken it back into life but something hit me while I'm trying to figure out what's going on. The AWS Security Group is built from the dashboard recommended firewall rules for the site as recommended in the AWS vMX setup guide, including all the usual suspects for dashboard access, you know all the funky UDP ports and the like, but that gives you no ports I would have thought needed for IPSec (4500, 500, etc). I kinda assumed the dashboard did uber magic and the fact it was working made me suspect that was the case but maybe the initial setup had less rules on SG and the connections were up before it closed off the doors. I know this is something that should make sense but I'm way down on my coffee supply this morning. Should we have more outbound/inbound rules in place the IPSec links that the SD-WAN needs to operate?
... View more
04-20-2020
07:51 AM
That's the sort of answer I was hoping for 🙂 It seemed odd that it wouldn't be easier to build up an HA setup if it was really needed.
... View more
04-20-2020
07:47 AM
Hi all, We're on the verge of moving some connections into production using the vMX in Azure / AWS but the lack of an HA configuration, such as what you can build with the physical hardware, makes me a little nervous. I've seen the scripted AWS failover system put together by @PhilipDAth but I was wondering what you're experiences have been like as far as reliability with a single appliance. Is the underlying infrastructure generally reliable enough to stick with a single vMX or would you recommend the extra layer of complexity of a second appliance and some sort of user built routing/failover in AWS and Azure (unsure even how yet)? Thanks all.
... View more
04-09-2020
01:42 AM
Ironically, the setup we did in Azure to test came up almost straight away. Untangling the right options and getting things in the right NSG to start with is more of a challenge there and as you can't change the vMX appliance once it's deployed it meant we had to tear it down and rebuild it again but once we had that done it was up and running.
... View more
04-08-2020
12:27 AM
1 Kudo
Hi @JamesC_AB, It seems you were spot on. The update from Meraki overnight was that they changed something in the back-end of the dashboard and now it's all working without any changes on this end despite them being sure it was a firewall issue on our side. Anyway, we're up and running. Thanks all for the suggestions.
... View more
04-01-2020
08:19 AM
Hi all, I must be missing something here because it just can't be this hard. The EC2 instance is up and running (using the Meraki setup guide - https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Amazon_AWS) and using the "customer data" from the authentication token. We can reach the appliance's public IP (we have a rule allowing port 80 inbound temporarily to troubleshoot) and it confirms internet access but no connection to the dashboard over port 7734. However, AWS flows confirm it's sending and receiving data from the dashboard over port 80 and port 7734 but it just will not phone home and show up in the dashboard at all. What have I missed?
... View more
02-26-2020
01:59 AM
2 Kudos
Thanks, I was thinking it might be the later and powering down the AP would be the way to go. It's certainly an absolute case of no WiFi being available. Time to start planning for the end of the work day I think.
... View more
02-26-2020
01:14 AM
Hi all, We're having some really strange WiFi drop off / roaming issues on one of our sites (obviously, my site and none of the other 28 we have across Europe 😞 ) that appear completely random across different client manufactures, drivers versions, you name it. There's no pattern I can find to the disconnections so I'm going round and round in circles with it. However, one stand out difference we have with this particular building is a lot of AP's. We spammed the building with no wireless survey and have 34 AP's over 3 floor, including a conference centre that sees meetings of up to 80-100 people (then of course 100 laptops, plus 100 iPhones, plus 100 personal phones,etc...). I've made changes over the last 3-4 months to the RF Profiles to allow the AP's to adjust their settings as far as possible and we're seeing some of them powering down to 2dB which is suggesting there is more overlap between them than we probably should have. So, this brings me to the point of the question, to try to assess if we do in fact have way too much overlap, I'm looking at disabling a few of the AP's to see what that does to the remaining AP settings and coverage and I'm trying to figure out if I simply disable the SSIDs from an AP, does that shut down the antenna completely. If I switch the SSID to "deploy SSID by TAG", and drop the tag on a few of the AP's does that shut down the radios as well or do I need to power them down completely?
... View more
12-11-2019
02:08 AM
We're up and running but not without having to tear down the initial installation and start from scratch. That was rather convoluted as well but eventually I managed to unpick it and remove all of the newly created resource groups and the vMX. I had to create a new dedicated subnet in our primary resource group and VNET to be able to attach the vMX LAN interface to which then made it available on the list when building the new vMX. The other subnet I was trying to connect to initially, has been configured as the Azure gateway subnet which seems to exclude it from the selection list. Yeah, I don't know anywhere near enough about Azure to fully understand how all the widgets hang together. It seems overly complicated coming from a physical hardware world but I think it makes enough sense to me now to be able to reproduce this in production when we need to.
... View more
12-05-2019
02:22 AM
I've just run up against the same issue deploying a vMX. The process never made sense beforehand (I'm in no way any sort of Azure expert) so I just presumed it was my physical world thinking but I don't recall having any options at all to select a subnet/vnet outside the vMX's new resource group. In theory, peering the VNET's should be trivial but I'm hitting a permissions error that we can't make sense of so I've bounced it back to our Meraki sales contact to see if they can help unravel what's happening.
... View more
11-18-2019
06:54 AM
1 Kudo
OK, That's really strange. The internet connection troubleshooting sent me down a particular path and I remembered that many years ago, the subnet we had from our ISP was split into two halves with one half being NAT'd on our old Checkpoint firewall, and the second half of the subnet routed through the Checkpoint. No idea how, I never saw the config. However, switching to 3 IP addresses in the original lower half of the range has the MX's happy again. It's bizarre as there are services using the upper half without issues.. But anyway, we are up and running.
... View more
11-18-2019
06:29 AM
Thanks for confirming. That's what I was hoping. I'll run through the connection check docs to confirm what I can see. We do have some 1:1 NAT on the HA pair for some locally hosted services but I've confirmed there are no overlapping addresses. The 2 IP's (will be a third for HA once I get basic comms working) are free of any other configuration and I don't think we have ever used them.
... View more
11-18-2019
03:40 AM
Hi all, Before I go completely bonkers, can I run a question by you all to see if I'm in fact trying something impossible. We have an existing MX HA setup on site that's happily running and providing SD-WAN links to an expanding number of our offices but we are looking to move some third party IPSec VPN links over to our Meraki infrastructure as well. To help separate out the traffic from our SD-WAN (We don't need everyone to know about the links, they are for single local services), we're following this article - https://www.willette.works/merging-meraki-vpns/. It makes sense and I've most of the infrastructure up and running with the exception of the primary WAN link. I'm trying to use 3 additional IP's from our available public subnet but the IPSec MX's seem to not want to use them and keep falling back to WAN2. They are part of the same public subnet assigned to interfaces on the HA MX's and I'm half thinking this is the cause. I'm not seeing any errors but they just don't seem to want to use the primary WAN connection. There's a mention in the article about needing a separate organisation for the VPN link to avoid any VPN subnet overlaps but the impression I got from this was avoiding overlaps between third party subnet and a subnet on the SD-WAN but it's not clear. Can anyone confirm if this should be possible or am I going to have to look at a separate organisation?
... View more
11-11-2019
03:46 AM
Thanks, I knew there would be a way to do it but I've not had enough coffee yet this morning 🙂
... View more
11-11-2019
01:40 AM
Hi all, A question popped up in our team meeting this morning that I hadn't considered. If a website is dropped into a category by Brightcloud that a local MX happens to block (Parked Domains for example), is there a safe way to allow a management IP address to bypass the URL category list and get unrestricted internet access to be able to confirm the type of site? I'm assuming it's not obvious from the URL or users description. We could of course connect out of band to check it or simply whitelist the URL on the MX but that releases it for all users so I'm kinda hoping there may be a more elegant and controlled option we could consider. Thanks, Martin
... View more
10-23-2019
12:44 AM
1 Kudo
That's my name in the bag for some swag.
... View more
09-09-2019
01:38 AM
Hi @PhilipDAth, I'll ask our server team to double check but there was nothing that jumped out last time. We do have the Symantec AV client installed on all of the DC's, all running the same policy but some happily respond and others don't, but not consistently. MX1 might get a response from DC1 but MX2 doesn't. I'm not 100% certain how to confirm the certificates but is one MX works and another doesn't, I would have thought the certificate was OK. I'm just finding it difficult to find a pattern to be able to poke something with a stick.
... View more
09-09-2019
01:29 AM
Hi @Happiman, I don't see any WMI errors. The server connection seems to be happy when I plug in the username/password details and we get the green check mark but then the LDAP refresh starts, shows the spinning circle then no results.
... View more
09-06-2019
03:27 AM
Hi all, We are trying to enable the AD connector on a number of MX appliances spread across our European offices but failing in what seems to be a completely random fashion. We've followed the setup process outlined in the following article on each of the DC's we are trying to work with and confirm all of the relevant settings are in place. https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Directory_with_MX_Security_Appliances When we add the AD credentials (We're using the same service account with just the relevant permissions), we can get the status to report back as OK but getting the LDAP group list to populate is where we are falling over. It seems to be completely random whether it works or not. We appreciate that we need to point to the sites local DC to capture the login details but even that's not consistent. For example, our office in The Netherlands has been failing talking to its local DC but worked (for the first time today) when pointed at one in the UK. On the same UK site, their local MX refuses to talk to the same DC that is happily working for MX in The Netherlands. This seemingly random pattern repeats itself across half a dozen different sites and I cannot find any one link between them. Does anyone have a clue what could be causing this?
... View more
08-01-2019
12:39 AM
1 Kudo
That's the conclusion I was getting to as well. The good news is, we don't have to rip out the Checkpoint to get the MX's live so for a little extra breathing space I can leave the setup as it is initially so we can work out a solution with a little more breathing time.
... View more
07-31-2019
05:16 AM
Hi all, I'm working through the process of migrating one of our offices from a Checkpoint firewall to an MX but I've run up against an issue and I can't think of a sensible way around it. The site has a DMZ behind the Checkpoint firewall with a server that makes connections both to the internet (easy to reproduce) but also to a single server in a data centre across our global WAN. That connection has a policy on the Checkpoint that uses NAT so the connection looks to the data centre server as though it's the firewall making the request and as the local office LAN is a subnet the data centre knows about, it just routes the traffic back. The DMZ server in question is a third party black box so we are hoping to avoid having to connect it directly to the LAN in the office as we cannot be certain how up to date it is. Is there any way I can reproduce that DMZ <> NAT <> LAN functionality with an MX or do I need to starting thinking about having routes for the DMZ subnet advertised across the WAN?
... View more
07-11-2019
02:14 AM
2 Kudos
Congratulations to all. There's certainly a few familiar names on the list that have been really helpful in getting things fixed and helping me understand the transition to Meraki from other technologies.
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 29 | 2 weeks ago | |
| 898 | 11-13-2018 07:35 AM | |
| 2067 | 10-31-2018 07:05 AM | |
| 956 | 07-06-2018 05:23 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 548 | |
| 2 | 4687 | |
| 2 | 3937 | |
| 1 | 29 | |
| 1 | 561 |
