- About JonathanDixon
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
JonathanDixon
Here to help
Member since Sep 5, 2017
10-08-2019
Community Record
8
Posts
1
Kudos
0
Solutions
Badges
09-16-2019
08:14 PM
Hi All, It looks like it's possible to disable Advanced Malware Protection (ie. HTTP file download inspection) at a group policy level, but not Intrusion detection and prevention (SNORT) - does anyone know if it's possible to do this somehow? Use case is a firewall with lots of guest internet users connected to one subnet that we're not interested in protecting, but we are interested in protecting admin users on a separate subnet. Thanks, Jonathan
... View more
06-13-2019
03:20 AM
1 Kudo
Thanks @jdsilva and @PhilipDAth - a crossover cable did the trick!
... View more
05-17-2019
07:21 PM
I haven't tried a crossover cable yet - good suggestion, I will give that a try. Thanks guys.
... View more
05-17-2019
04:25 AM
Hi All, Long, scattered post, I'll start by saying I think this will end up being an ISP issue, I'm wondering if anyone has seen anything similar. I have a client with an Ethernet delivered Internet service, (layer 2 radio link back to ISP) terminated into a Cisco switch at the ISP. I know it's a Cisco switch at the ISP because until recently they were sending us CDP... The service was plugged into a Cisco 1941 at the client end and working fine (no vlan, though the ISP switch has native vlan xyz configured - I could see from the CDP). The ISP enforces 100/full rather than auto/auto. I'm trying to replace the 1941 with a MX64, so I configured the MX with the same IP / mask etc. and set the Internet port to 100/full, no VLAN tags, just as it is on the 1941. I was surprised when it got to site and didn't work. The link LED on the Meraki Internet port was off, as was the link light on the ISP's CPE. I got the client to connect to the Meraki's admin page and set the Internet port to auto/auto. The link came up (at 100/half, to be expected as the ISP end is 100/full). Changing the Meraki to Internet port to 100/full, the link drops again. The ISP can't / won't change their equipment to auto / auto, so i'm a bit stuck. They have disabled CDP on their port facing us, I assume it's still configured link 'switchport trunk native vlan xyz' - not that it should matter. Not sure where to go from here, except leaving the 1941 and putting the MX behind it, double NAT, or using a couple of switch ports to 'bridge' between the Meraki's internet port and ISP's CPE. I can't really do much troubleshooting on the MX and can't do a packet capture as i'm not on site. I've had the client grab the support .dat file from the local status page and I've sent that to support. Any theories? The ISP haven't been able to assist very much and there is a bit of a language barrier. I'm wondering if the ISP or Meraki is reacting to BPDUs and shutting the port down, though I think it would just go into blocking rather than shutting the port down. But this seems like more of a speed / duplex negotiation issue. We've tried a two-pair ethernet cable in case gigabit negotiation is happening, made no difference, as well as new patch leads. I will also try using LAN4 instead of the Internet port. We occasionally see no settings on the MX's Ethernet page as well, I think I've seen that once or twice in the past but also a bit odd. I'll be pushing the ISP to assist more next week but welcome any suggestions! Jonathan
... View more
11-17-2018
06:16 PM
Hi Nolan, All the logs show is the site to site VPN connectivity issues, then Primary uplink status change uplink: 1, then some time later Primary uplink status change uplink: 0. I don't have e-mail alerts setup for this one but the Appliance Status / Uplink tab shows 100% packet loss on uplink 0 during the outage. Here's a sample log showing an outage for a couple of hours: Nov 17 10:29:03 Route connection change peer_type: l3_vpn, peer: E0:C8:8C:24:33:CB, connection_status: connected Nov 17 10:29:03 Route connection change peer_type: l3_vpn, peer: E0:C8:8C:23:0B:4F, connection_status: connected Nov 17 10:29:03 VPN tunnel connectivity change vpn_type: site-to-site, peer_contact: 4.5.6.7:47227, connectivity: true Nov 17 10:29:03 Primary uplink status change uplink: 0 Nov 17 10:29:02 Non-Meraki / Client VPN negotiation msg: notification INVALID-COOKIE received in unencrypted informational exchange. Nov 17 10:28:57 VPN tunnel connectivity change vpn_type: site-to-site, peer_contact: 8.7.6.5:53890, connectivity: true Nov 17 10:28:52 Non-Meraki / Client VPN negotiation msg: notification INVALID-COOKIE received in unencrypted informational exchange. Nov 17 10:28:50 VPN registry connectivity change vpn_type: site-to-site, connectivity: true ***MX has switched to backup link Nov 17 09:12:05 Non-Meraki / Client VPN negotiation msg: initiate new phase 1 negotiation: 192.168.15.2[500]<=>19.20.21.22[500] Nov 17 09:12:04 Route connection change peer_type: l3_vpn, peer: E0:C8:8C:24:33:CB, connection_status: connected Nov 17 09:12:04 Primary uplink status change uplink: 1 ... Nov 17 09:08:42 Non-Meraki / Client VPN negotiation msg: initiate new phase 1 negotiation: 12.13.14.15[500]<=>19.20.21.22[500] Nov 17 09:08:37 VPN registry connectivity change vpn_type: site-to-site, connectivity: false Nov 17 09:08:18 VPN tunnel connectivity change vpn_type: site-to-site, peer_contact: 8.7.6.5:53890, connectivity: false Nov 17 09:08:17 Route connection change peer_type: l3_vpn, peer: E0:C8:8C:23:0B:4F, connection_status: disconnected Nov 17 09:08:13 VPN tunnel connectivity change vpn_type: site-to-site, peer_contact: 4.5.6.7:47227, connectivity: false Regards, Jonathan
... View more
11-16-2018
06:39 PM
Hi All, Some of our ISPs deliver services using IPoE (instead of PPPoE), it's similar to DHCP in its appearance to the CPE. With the MX WAN side configured for DHCP the connection does come up and work for a while (hours to days) but then drops out for a period (tens of minutes to two hours) then comes back on its own. This only seems to happen with the MX, a Cisco router in place of the MX works fine (as does a Netgear etc.) I've had a couple of cases open on this but haven't yet found a solution (apart from another router in-between and double NAT). I suspect it's something with DHCP negotiation - curious to know if anyone has had similar issues? Thanks, Jonathan
... View more
11-20-2017
05:39 PM
Hi All, It has been asked before - and I think it may be in or near beta - but where are we at with routing a public subnet through a MX, to allow us to put public IPs directly on devices (rather than 1:1 NAT)? We have a few clients where we're having to use ASAs where a MX would do, just because certain systems can't work with 1:1 NAT. Thanks, Jonathan
... View more
11-16-2017
12:40 AM
Just bumping this one - any news on this feature? We have a few clients where we're having to use ASAs where a MX would do, just because we can't have a public routed subnet with no NAT...
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 1 | 1167 |
