Thank you! Would you happen to know why that note wouldn't have been in there already? Just seemed odd that there was info relating to virtual MACs on switches, but not on MX appliances. In any case, much appreciated for getting it added. Hopefully it will help someone in the future 😄 ... View more

Out of curiosity, is this something that Meraki even details in official KBs or docs anywhere? The closest things that I could find for virtual MACs didn't detail those specific "cc:03:d9" octets as the tell-tale indicator to be mindful of if one found themselves hunting. I happened upon this thread as I was trying to track down what is apparently a virtual MAC. It was only after I got a reply on a case I had opened about this mysterious address that I was told it was a virtual MAC associated with one of my MX devices. After searching, your answer was the top result time and again.   ... View more

So I had gotten an update from Meraki with the case I've had open that there was a permanent fix as part of the current stable release candidate firmware, ver. 18.105. I updated one of my smaller networks to it last night, which is running an MX64, and to my surprise,  there are no longer spammy event logs in the Meraki dashboard for that network's "Security Appliance" section as there have been. Additionally, none of the DCs that I have configured in the "Active Directory" tab for that network are showing a "WMI error message", but shockingly are showing "Success". Finally, I'm not seeing spammy logs on any of those DCs detailing the DistributedCOM source, nor the associated "The server-side authentication level policy does not allow the user <User> <SID> from address <address> to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application." I have yet to test this to confirm that it is actually the fix, but if anyone else has time to weigh in if they get a chance to test it, I think many people would be most appreciative. Meraki may have nipped this in the nick of time. ... View more

Here we all are, over a year into many of us having this issue, and Microsoft is going to begin enforcing this in March - DCOM changes first released in June of 2021 become enforced. See https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26414 and https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c.   Are we all just basically screwed if they don’t get this figured out, since there will be no way to disable it, and since we are all likely past the point of using a firmware version that did work? I cannot fathom how they haven’t worked this out ... View more

If you're referring to your post from 6-22-2022, I did actually try that, as Meraki had recommended something similar, while simultaneously referencing their https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Configuring_Active_Directory_with_MX_Security_Appliances#Create_an_Active_Directory_Site article and suggesting that it was something mis-configured on our DCs.   It did not change anything in terms of the behavior, and Meraki has acknowledged months ago (at least to me on my case) that this was a known issue related to their firmware that they are still working on. ... View more

Been seeing the same thing since July of this year, and have had a case open since then.   Was most recently advised to update to the stable beta candidate of 17.10.1, problem persists. Something I did notice was that for a 2016 DC that I have, there were "connected to domain controller" event logs that started populating within Meraki after updating the associated network to 16.16.5. However, it did not change the fact that there are still persistent event logs showing up on the DC itself, nor the fact that within the Dashboard, the DC in question still shows a "WMI error" status. On a related note, I also have a 2022 DC that is in the same network as the 2016 DC, and after the upgrade to the 16.16.5 firmware, it was still spamming "cannot connect to Domain Controller" events in Meraki, as well as the "server-side authentication level policy" / "RPC_C_AUTHN_LEVEL_PKT_INTEGRITY" messages on the DC itself. Anyone else having any luck ? ... View more