Meraki

Community

About RH6379

Re: PC behind Meraki MX84 could not communicate with DNS servers on other s...

by in Security & SD-WAN
‎Nov 20 2018 10:01 AM
‎Nov 20 2018 10:01 AM
We weren't able to ping the DNS servers or run an nslookup against them.  After further investigating, the CheckPoint firewall wasn't seeing communications from that IP coming over the tunnel so the rules dropped that.  Also, there was a high number of dns queries coming in so it got flagged by the checkpoint as suspicious activity.  The CheckPoint sees the new IP of the laptop as coming over the tunnel so it's being allowed.     @mat1458 wrote: If the MX is the DHCP server the incomplete ARP is not likely to be the issue since the traffic is routed and ARP is only necessary for the default gateway IP address in the local VLAN. It looks to me as if something in the DHCP processing on the client side as gone wrong. Did you do an ipconfig /all (or whatever the OS of the client might need to display the IP config) to see if the DNS servers and the Default Gateway were present in the PC?  If everything is/was ok, could/can you ping the DNS server? Are you able to able to ping devices in proximity to the DNS server?   ... View more

PC behind Meraki MX84 could not communicate with DNS servers on other side ...

by in Security & SD-WAN
‎Nov 20 2018 8:23 AM
‎Nov 20 2018 8:23 AM
We had an issue yesterday where a PC at a remote site could not communicate with the DNS servers at our HQ over the VPN tunnel we established between the MX84 at the Remote Site and the CheckPoint Firewall at HQ.  The MX84 is the DHCP server and we manually entered the IP Addresses for the DNS servers to assign to the clients.  All clients except for this one worked.  I ended up resolving the issue by assigning the workstation a different IP Address in the Workstation VLAN through a Reservation on the MX84 DHCP Settings.  Then, it worked just like the others.  Could the issue with the original IP communications not being sent across the VPN tunnel be an incomplete arp entry or something else?  I've only seen this a handful of times in my 20+ year career, but never really resolved it other than changing the IP Address.  We rebooted the MX84, but that didn't help either. ... View more

Re: Inbound Site-To-Site VPN Firewall Rules Are Getting Removed

by in Security & SD-WAN
‎Oct 12 2018 10:53 AM
‎Oct 12 2018 10:53 AM
Meraki support told me today that they don't support site-to-site VPN inbound firewall rules even though it's there on the dashboard under Security appliance>Site-to-site VPN. They suggested I submit a feature request.  When I asked why I should have to submit a feature request for an option that's on their dashboard, their response was:   "It was an engineering team's decision and sorry about the confusion. If you need further assistance, please let me know or call Support Hotline at 415-937-6671."     ... View more

Inbound Site-To-Site VPN Firewall Rules Are Getting Removed

by in Security & SD-WAN
‎Oct 12 2018 8:18 AM
‎Oct 12 2018 8:18 AM
We set up a VPN tunnel from our MX84 in our Phoenix office to a checkpoint firewall in our HQ.  On the MX84, I have outbound vpn firewall rules that allow a PC in phoenix to communicate to 4 individual servers at HQ over any protocol.  I have a 5th rule that is a deny any any.  I disabled the default outbound rule that is a allow any any. On the inbound VPN firewall rules, I created rules to permit the 4 servers we're allowing outbound access to to talk to the pc.  I also disabled the default inbound rule that is allow any any.   If I navigate away from that page and then go back to it, all the rules I created in the inbound VPN firewall are gone. I'd like to know why this is happening and if it's a normal function of the MX84 or if have run into a bug.   I opened a ticket with Meraki Support. ... View more
© 2025 Cisco Systems, Inc.