Thank you all for your replies. The interfaces/networks on the MX are more complicated than in the diagram, I just simplified it to try to remove any confusion. We have 5 different vlans/subnets, each with their own source-based route as the MX is also used to tunnel some wireless traffic, and the default gateway for each of these subnets is actually the router, which has those 5 interfaces/subnets on them. I think the issue is routing, but on the return of the traffic. If I disable all firewall rules traffic originating from 10.1.0.0/24 can get to 10.112.5.0/24, however traffic originating from 10.112.5.0/24 passes through the MX to 10.1.0.0/24 (As can be seen in packet captures) and I can see the responses, but I suspect it's then following default routes, rather than source based routing for the return traffic. I'll confirm this by running packet captures on the different interfaces on the MX and check for the reply traffic going down a wrong route... The firewall rules are working correctly as the ACL hit count is increasing as I send test data, so not as I originally thought being an issues with L3 firewall rules.   Once again, thanks for your responses, hopefully I can figure this out. ... View more

Hey, Are you still facing this issue or is it resolved now? ... View more

If you are interested in participating in the EFT for this feature, please take a look at this topic: EFT opportunity: IOS XE upgrades using Cloud Monitoring. ... View more

My apologies for not responding to your query, region is Europe (UK). ... View more

It could be possible that the browser's zoom is to high. Please try zooming out to make text smaller.  If you continue to have issues even after zooming out. I recommend to open a support case with Meraki Technical Support.  ... View more

Team,  I think There is a bandaid fix that I can apply to maybe boost performance on those access points. If we increase the minimum bitrate on those access points it should allow for those device to be able to accommodate more throughput ... View more

So I can't imagine there actually being any real 6GHz usage around you, so I would suspect cosmetic bug. The spectrum and channel utilization is nice but it has a history of being unreliable.   https://nolanwifi.com/2017/02/02/meraki-rf-falsehoods/   As for the MAC, I don't see 6GHz mentioned on this document, but I suspect its MESH https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/Calculating_Cisco_Meraki_BSSID_MAC_Addresses ... View more

I remember this cropping up a few times over the years, always doesn't seem to last long... ... View more

We have a similar setup, two pairs of MX450s in different DCs. It is possible to setup 'secondary concentrators' for tunnelling SSIDs, screenshot below: We split the connections to different HA pairs of MX450s to spread the load, but have secondary concentrators setup in case of DC failure. ... View more

Do you have matching speed and duplex settings on the devices?  We have found that forcing either at one end and having it auto at the other can cause this, along with the cabling issues mentioned above.  Also if you are using mGig line cards make sure that all of the cabling including the patch leads is Cat6a.  Again we have seen issues with mGig AP to switch connections where Cat6 or Cat5e is used for part of the run.  This often only occurs under load. ... View more

Specifically, this setting is only for Meraki-hosted Administrator accounts.   Correct, SAML accounts will use their own separate system. ... View more

Thats interesting. I checked the settings of the new network I created yesterday and they had the following settings: I then clicked on 'Restore to Meraki Default' and ...the 6GHz was set too power range 0-8??:   Then went and checked that the country the network was assigned (automatically) was UK, didn't make a change, and then checked the power range values again, and they have changed in the background??..: I can only guess there is a slight delay with the 'defaults' being applied, and then them being adjusted depending on country network is assigned to. ... View more

Well we resolved the issue.  We have an ASA in our environment with basic threat detection enabled.  When doing a packet tracer on the ASA the client experiencing the issue was Shunned in Phase 3.  When looking at the policy we have excluded subnets from the threat detection with auto recovery after 3600 seconds (1 hour).  Once we added that in the policy we have not had the issue occur again.   ... View more

Hi, you need to   - remove policy from ports - add ports to port-channel - add policy "device-tracking attach-policy MERAKI_POLICY" to port-channel   example:   interface TwentyFiveGigE1/0/10 switchport trunk native vlan 230 switchport mode trunk channel-group 1 mode active end interface TwentyFiveGigE2/0/10 switchport trunk native vlan 230 switchport mode trunk channel-group 1 mode active end   interface Port-channel1 switchport trunk native vlan 230 switchport mode trunk device-tracking attach-policy MERAKI_POLICY end   otherwise the Meraki dashboard not will detect the ports and VLAN configuration and you can have a mismatch VLAN on port or other cosmetics errors in Meraki dashboard   ... View more

Nice spot. I also found the next slide interesting. While this looks to be only for the Catalyst monitored switches, I think it would be a great feature to include for the whole Meraki switch line, to be able to compare configurations between two different time frames. I appreciate that it's possible through the use of API or a appstore service, but including it within the dashboard seems to be a good thing.   ... View more

No update sorry, I never raised a call tbh and haven't checked to see if it's sorted yet. I'll try to do that later this week and get back to you. ... View more

Congrats 🙂 ... View more

I hadn't performed the initial steps and still haven't yet, but what is odd is that the Radsec option for SSIDs is visible again for me on the SSIDs that are setup for radius authentication. I have no explanation for why it disappeared and re-appeared, but lets just put it down to either my browser cache or temporary gremlins. ... View more

I don't want to assume anything, so if it's ok, can I confirm a few things first. When you say that it is using a custom radius, is the option selected 'my Radius server' from the option under Security>Enterprise with in the Wireless>Access Control part of the dashboard?    If so, I assume that under the Radius settings you have it configured to point to the radius server, which is what I'm ultimately trying to lead you too. This could be an ISE appliance/Service or any other Radius server, but this is where I think you need to start your actual investigation as it is the configuration within the Radius server which will tell you how clients/devices are authenticating the network. Which protocol is the policy that your clients should be matching to within the radius server (Apologies I'm using ISE terminology (I think)) EAP-TLS, PEAP, MS-CHAP...etc. How are clients/devices to authenticate, with a username/password or with a certificate, potentially both. The protocol will kinda determine which authentication method is to be used. I know that you have said that entering credentials allows the users to login, but it may well be that users/devices are actually supposed to authenticate with certificates, but the radius also allows username/password. I've had issue previously where computer accounts weren't located within the correct OU in AD, so a GPO which assigned the configuration for the wireless connection haven't been pushed out. My advise is to start at the radius server, look to see how succesfull clients/devices authenticate, and look to then see why your failed clients don't automatically...I do hope that this does assist you in your investigation.   ... View more

> the group policy itself will not determine whether the client should breakout locally from the SSID or tunnel back to the MX, it only sets the local vlan override, L3/7 FW and traffic shaping.   That is the case. ... View more

> When you state Content filtering do you just mean URL filtering   Yes.   >including safe search enforcement and AMP?   I don't know about these two. ... View more

Hello @GiacomoS  and @spadefist (great name)   Thank you for this.   However we did follow all of those guidelines when specifying the correct model and have still ended up in this situation.   The sizing guideline did up until recently have the figures of the MX75/85 set at 750Mbps, it was recently refreshed to 500Mbps.   I did open a support case initially about this and was told to talk to the account manager. I spoke with the account manager who didn't know about this and still hasn't been able to procure an answer.   So from our side this process seems broken. We've followed the guidelines and it feels like the goalposts have been moved. Then that we're not being told or getting any information on the changes.   What is worse is that it feels like the units are being artificially held back and capped. We're sad as the MX75/85 product line performance change devalues these machines significantly.   It leaves us back in a similar situation we were in before these products were announced where there is a gap in the MX lineup to cater for environments with above 500 Mbps who don't or can't justify the cost of a unit like the MX95. This is an area where competitors don't have those sort of gaps in this market. I find it odd as this must be a pretty normal requirement as we have dozens of clients who need this sort of unit.   For existing customers we need to address the issue that they bought a unit based on the figured in the sizing sheet that had been out for over a year and now the throughput figures have dropped a third.   For new customer / sales we will also need to address the situation. We had a customer with a signed off order for an MX85 that due to this uncertainty we paused. Given that this has taken so long and with the customer pushing we had to lend them one of our MX100 units to give them access to more bandwidth while we resolved the issue. I'm not sure what the outcome here is. If we go back to the customer and say "sorry you need this next up unit that is double the costs" At best we ourselves will look incompetent, at worst it looks like a money grab.   As above Giacomo I don't have any open tickets about the issue now but am happy to open one and work with you to resolve this. Certainly the AM's we've spoken to don't know about this or anyway forward. I am very keen to get this issue resolved for existing client and clients where we have open or approved orders for the MX85 units         ... View more

I have a similar issue, except it is between C9300 & MS390 stacks. The allowed trunk ports match but the one that doesn't is the native vlan, but I haven't changed the value yet as they are working as intended and they are a critical piece of our infrastructure and I've yet to pluck up the courage to make a change. If you view the ports in the meraki dahsboard, what does it show under the vlan mismatch info when you click on Warning: Vlan Mismatch under the CDP/LLDP value in the status section? Image is taken from my dashboard, but I can't show the info under the warning pop-up   ... View more

After receiving an update from Cisco (I am unable to share any information on this), I have re-on-boarded our Catalyst switches into the dashboard. I think there have been some updates to the on-boarding, as all of my stacks on-boarded first time with all members of the stacks. Previously on the odd occasion, some members wouldn't show in the dashboard. Also, clients connected on non-managed vlans and port-channel interfaces are also showing correctly, previously it seemed to only show clients on the switch on-boarded vlan interface. So Kudos to Meraki to continue to develop both on-boarding and monitoring of Catalyst switches. If Meraki are taking requests, could you please add a 'recommended IOS version' for each of the on-boarded switches to alert us of a suggested upgrade for them, and ideally add the functionality to perform the upgrade to the IOS similar to the current options for Meraki switches, i.e. Now or Schedule it. ... View more