Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About cabricharme
cabricharme
Getting noticed
Member since Apr 19, 2023
3 hours ago
Community Record
23
Posts
5
Kudos
2
Solutions
Badges
2 weeks ago
I hear you on simplicity, security and reliability. One reason to use a switch like that is because we have it... 🙂 The other - to counter ISP's assertion of "you have a lot of errors on your side" and get port error stats from a switch that can collect and report them. (Generally, get a little better visibility into WAN traffic.) Yet another: ease of configuration and testing. Configure two ports for one ISP circuit, another two - for the 2nd one, another - for a cellular uplink, isolate them all, see them all...
... View more
2 weeks ago
2 Kudos
Thank you, that deck helped tremendously. I don't have enough networking background to translate everyone's suggestions into actual configuration settings, and that deck more or less did it.
... View more
2 weeks ago
2 Kudos
Thanks for all the help! After a few back-and-forth with Meraki support, and studying the "MX, MS - WAN Breakout Switch designs" slide deck suggested by ww in this thread (thank you!), the following crystallized: Type: in short, all relevant switch ports should be set to "access". VLAN: the ports connecting to the ISP circuit and to MX WAN ports should have their VLAN set to something unique on the network, and specific to the ISP circuit. This way if the switch is used for anything other than connecting one ISP circuit to the MX, the WAN traffic stays isolated to that VLAN. Manageability. It's also recommended to set up a 3rd port (also "Access"), connect it to a LAN port (e.g. on the MX) and set it to the network's management VLAN so that the switch can remain manageable if the ISP circuits goes down. The LAN port should be configured the same way. In more detail: Minimal configuration (Absolute minimum baseline settings; the switch can still be manageable if properly configured for internet access) 2 ports on the switch are both configured as "access", "VLAN 994" (or some other VLAN unique to the network and specific to the ISP circuit; e.g. for our two circuits we use 991 and 992) one of these ports goes to the ISP circuit, the other - to MX WAN port That's it. Everything else remains the same, i.e. if the internet was working through that uplink when the circuit was connected directly to the MX w/o a switch - this configuration should work as well. Recommended configuration (a minimum of 3 switch ports are configured) The switch however may become unmanageable in the previous "minimal" configuration and disconnect from Meraki dashboard, unless it can get its own IP from the ISP circuit via DHCP, or be set to a valid static IP. To make it manageable and accessible regardless of whether it's connected to any ISP circuits, set up another port for manageability and connect it to one of the LAN ports - e.g. on the MX appliance itself: Set up another port on the breakout switch for management traffic. Type: "access", VLAN should be set to whatever your local management VLAN is... MX LAN port: "access", same management VLAN. MX's own LAN ports are configured in a special place - not under the "appliance status" where WAN ports are configured, but under "Per-port VLAN Settings" in "Security & SD-WAN" - "Configure" - "Addressing & VLANs". (This took a bit to figure out.) Hope this helps someone in a similar boat, and who needs as much hand-holding as I did.
... View more
2 weeks ago
A breakout switch between the MX and the ISP should be working as layer 2 only. Please make sure there is not L3 interface configured. Thank you. Not sure what this means in terms of where to go in the switch configuration and what to change, to ensure the switch stays in L2 mode. If it means "there is not L3 interface configured" - then what does that mean in terms of Interface (switch port?) configuration? The recommended configuration is to have a copule of ports in access mode. Assuming (for now) the switch will only have two connections - to the ISP circuit, and to the MX100, does this mean both of those should be in access mode? If you are using other ports on the switch, is recommended if are trunk interfaces to prune the VLAN. Ex. use ports 1 and 2 for ISP modem and MX100, both in access VLAN 999. In any other trunk port in the switch do not allow VLAN 999. I hope it makes sense. The switch is dedicated to just being the breakout switch, i.e. no plans to use it for other tasks. This means ports other than the primary ones (one - to the ISP circuit, the other - to MX100's WAN port) can be used for two purposes only: management - connect to MX100's LAN port to ensure the MS220 switch remains manageable even if the ISP circuit drops testing and diagnosis - if there are issues with the ISP circuit, to ensure there can be a direct connection to it that bypasses MX100, yet that does not require disconnecting the MX100 With all that in mind - does something like this make sense, and does it look secure enough? Scenario 2: breakout switch MS220-8, 3 connections: Port 1: to ISP circuit Port 2: to MX100 WAN port Port 3: to MX100 LAN port (for management) Configuration: MS220-8 Port 1: to ISP circuit 1 Type: Access VLAN: 991 (not present anywhere else on the network) MS220-8 Port 2: to MX100 WAN 1 port Type: Access VLAN: 991 MS220-8 Port 3: to MX100 LAN port (for management) Type: Trunk Native VLAN: ? Allowed VLANs: none? MX100 WAN 1: VLAN ID: 991? IP config: (specific to the ISP circuit) MX100 LAN port (e.g. 5): no configuration options available Switch management: via MX100 LAN port Thanks again!
... View more
2 weeks ago
The cable modem is using a plain routed address block, like a /29? If it is passing through PPPoE then you may have issues. Two ISP circuits in play: a cable modem (Spectrum Business) + 4-port router with DHCP, with static IPs that come with the service a so called "DIA" circuit from Frontier with a RAD ETX-203ax "demarcation" device - with a /29 address block. Either one is working OK when connected directly to the MX100. I'd like to put a "breakout" switch(es) between the circuits and the MX, and configure everything securely. Got a good response from Meraki support: The first thing you will need to take care of is the switch configuration. The switch can get its management from the LAN of the MX, unless you want it to always be reachable even if the MX is down, in which case you will need to assign it a public IP from the same pool the MX is getting. The ports that are assigned to the ISP circuit will be configured as access ports on a VLAn that will not be used on the LAN. Depending if you assign a public IP to the switch or not, the management of the switch will be statically configured on that VLAN, otherwise it will get the management from your vlan of choice from the MX. No configuration changes will be needed on the MX and you will need to connect cabling accordingly to the selected ports for the ISP circuit on the switch. ... although still have trouble translating it to actual configuration steps. So far my "translation" into configuration steps or options is as follows: Scenario 1: breakout switch MS220-8, only two connections: ISP circuit, MX100 MS220-8 Port 1: to ISP circuit 1 Type: Access VLAN: 991 (not present anywhere else on the network) MS220-8 Port 2: to MX100 WAN 1 port Type: Trunk Native VLAN: not configured (empty) Allowed VLANs: all MX100 WAN 1: VLAN ID: not configured (empty) IP config: (doesn't matter - whatever works for that specific ISP circuit, including DHCP) Switch management: via static IP configured for the ISP circuit Does the above sound right, and does it comply with best practices in terms of security and manageability? Should port 2 on the switch be configured as "Trunk" and no VLAN configuration? Scenario 2: breakout switch MS220-8, 3 connections: ISP circuit, MX100 WAN port, MX100 LAN port (for management) MS220-8 Port 1: to ISP circuit 1 Type: Access VLAN: 991 (not present anywhere else on the network) MS220-8 Port 2: to MX100 WAN 1 port Type: Trunk Native VLAN: not configured (empty) Allowed VLANs: all MS220-8 Port 3: to MX100 LAN port (for management) Type: Trunk Native VLAN: not configured (empty) Allowed VLANs: all MX100 WAN 1: VLAN ID: not configured (empty) IP config: specific to the ISP circuit MX100 LAN port (e.g. 5): no configuration options available Switch management: via MX100 LAN port Ditto, does this configuration look OK? Does the LAN port connection from MX100 to switch (and thus, directly to the ISP circuit) make the configuration vulnerable in any way? Lastly, is it possible to connect two different ISP circuits to the switch, and then connect each to a respective WAN port on MX100? (I am assuming the two connections would need to be isolated via VLANs?)
... View more
2 weeks ago
Connecting MX100 directly to a broadband uplink device (e.g. a cable modem) generally works, however placing a switch such as MS220 between MX100 and the broadband uplink is causing issues: the broadband uplink stops working (100% loss, no DHCP) and the switch itself disconnects from the dashboard. What are the "minimum working" (baseline) settings for the switch to get it to work between MX100 and a broadband connection? Some of the questions that come to mind: What should the switch's VLAN be set to? What VLAN (if any), and what port settings (trunk? access? does it matter?) are recommended for upstream (broadband device) and downstream (MX100) connections on the switch? Given MX100 ports do not appear to have VLAN configuration options, should VLAN be configured at all for the switch and its ports? Thank you!
... View more
3 weeks ago
Thanks - that makes sense! (Except perhaps that the tunnel should still work when VPN is active-active over two uplinks? In other words why does it stop working if VPN is active-active on two uplinks, the peer is to set up to an IP on, say WAN 2, and the primary uplink is switched to WAN 1?) (Leaving the main question unsolved as I'd still like to get answer to that, too - how to determine the timestamp of the last successful connection over a non-Meraki VPN peer.)
... View more
3 weeks ago
We just tried switching the primary uplink back to the secondary WAN (WAN 2) - and the peer came up. (We changed the primary uplink to WAN 1 from WAN 2 last week trying to stabilize our site-to-site VPN which was frequently going down. I didn't help - but didn't seem to make things worse other than today's discovery of the VPN peer being down.) Guess the peer is somehow hard-wired to a specific uplink being the primary one? (Traffic is load balanced between uplinks, VPN "active-active" status doesn't seem to matter, nor does "immediate" vs. "graceful" failover. Is there a way to configure it to work regardless of which uplink is primary? P.S. The original question still stands though, how to track down the time a VPN peer went down or was last successfully used.
... View more
3 weeks ago
What logs / events should I look at it, to determine the last time a non-Meraki VPN peer was successfully used? (Please walk me through this as I am new to Meraki, and don't have a lot of experience with it or site-to-site VPNs.) Context: there is one non-Meraki peer in our site-to-site VPN setup, along with a number of Meraki peers. that non-Meraki peer is showing red (down), likely due to our attempts to troubleshoot poor VPN and internet connectivity and change a few things. On the "VPN Status" page, there's no indication (at least as far I can tell) of when it went down, or when it was last up We're trying to track down which change brought that non-Meraki VPN peer down, and having the timestamp of the last successful connection would be very helpful The appliance is MX100 on our side Thank you!
... View more
Labels:
- Labels:
-
Other
Apr 4 2024
1:01 PM
Done before I even posted here. As I mentioned in my original post, the goal of this thread was to rule out me doing something wrong, or known Meraki (mis)behavior. Looks like it's neither - which is strange given seemingly a lot of orgs using Meraki, VLAN GPs, and allow-listing being a common tool to troubleshoot issues. Thanks for the help with this!
... View more
Apr 4 2024
12:40 PM
Yes, thank you, saw it. In other words, the behavior I am describing (if I am describing it accurately) - is unexpected, runs counter to Meraki docs, and does not represent a known bug?
... View more
Apr 4 2024
12:30 PM
Sorry that I am so slow. You're saying that explicitly allow-listing a device in a VLAN with a GP applied to it will have no effect with respect to active VLAN Group Policy rules. Does that sound right? (That - despite "Policy - Show Details" showing no Layer 3, 7 or traffic shaping rules applied to the device at all...) (It doesn't sound right to me - it's not what Meraki docs say - but OK. Let's assume for a second you're right.) What I am saying is this: Allow-list a device. Observe the traffic still being blocked. Add a random "deny" rule to the Group Policy. (Adding such a rule should not allow any traffic from anywhere to anywhere, least of all from/to non-existent IP addresses... correct?) Observe the previously blocked traffic now flowing. How does this make sense?
... View more
Apr 4 2024
12:18 PM
I am not sure how to read it, or what it means for my case. If allow-listing a device is not supposed to work at all due to "network default" policies, then why does making an unrelated change to a group policy all of a sudden allow-lists the device anyway? (See "how to reproduce" step 4 above.)
... View more
Apr 4 2024
11:22 AM
1 Kudo
We ran into several cases where flipping a device in the client list from "normal" (Group Policy applied) to "allow-listed" (no rules) has no effect. (That is, until there's some other unrelated change to the same appliance - and only then it kicks in...) Is there something I've missed in the instructions or documentation, or perhaps I am encountering a known bug, or doing something wrong? We followed Meraki "Blocking and Allowing Clients" instructions to allow-list a device. Steps to reproduce: Locate a device where the applied group policy doesn't allow certain traffic, e.g. no ICMP or other traffic from another device. Allow-list the device following Meraki "Blocking and Allowing Clients" instructions Observe the traffic still being blocked. (Elapsed time doesn't matter, it will be still blocked e.g. 24 hours later unless some other change triggers the allow-listing to take effect.) Make a change to e.g. a group policy on the same security appliance and save it. (The policy does not have to be related to the device in question, it can be entirely unrelated and not scoped for the device in question. Reversing the GP change does not change this behavior.) Once the change is applied (10-30 seconds), observe the allow listing to take effect, as well: the traffic is now allowed. (The same is true in reverse: flipping the device from "allow-listed" to "normal" takes no effect until some other change is made.) Anyone else is seeing this? (The device is MX67, firmware MX 18.107.2 (marked "Up to date" by Meraki)) Thanks!
... View more
Mar 28 2024
4:44 PM
Adding IP address ranges for CRLs (Certificate Revocation Lists) to Layer 3 firewall "allow" rules fixed the issue. The CRL FQDNs and IP ranges were provided by the application vendor. The mystery: these FQDNs and IPs did not show up in the packet capture during the failure - unless I did not capture the traffic or search the packet capture correctly.
... View more
Mar 22 2024
1:00 PM
Packet capture (during an induced failure) shows a TLSv1.2 "Certificate Unknown" error to a specific endpoint, however testing that endpoint's certificate in the browser or via PowerShell on the affected server (where the validation appears to be failing) shows no red flags - the endpoint is reachable, the certificate valid. TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 2
Alert Message
Level: Fatal (2)
Description: Certificate Unknown (46) We'll work with Meraki and application vendor support to keep troubleshooting the issue.
... View more
Mar 19 2024
12:22 PM
Thank you! I did see that document while googling around - and don't yet see how it could be helpful in figuring out what part of Meraki (or any other configuration) results in certificate validation failures - and only when Meraki firewall is enabled. (I am not even sure how it works: why would Meraki get itself in the middle of a cert validation process?)
... View more
Mar 19 2024
12:12 PM
In multi-site all-Meraki environment with a site-to-site VPN, we're getting "TLS certificate validation failed: error 75788" errors in a specific application, when Meraki firewall is enabled, e.g.: :STD: 2024-03-12T12:07:18.76048 ERROR 0/<Aloha01>:4 RdfServerClient [WW] Command result 'e95*****-1**c-4**1-8**b-f*********6' failed to send
nsoftware.SecureBlackbox.SecureBlackboxHttpclientException: Failed to post data
[SBHTTPSClient.EElHTTPSConnectionShutdownError] TLS certificate validation failed: error 75788; the connection will be terminated (100353/0x18801) ---> SBHTTPSClient.EElHTTPSConnectionShutdownError: TLS certificate validation failed: error 75788; the connection will be terminated This seems to affect just one application out of a gazillion we use. Any idea what could be causing this? Notes: The errors are isolated to a specific application, NCR Command Center. The application is effectively a C&C (Command & Control) center akin to MS Server Manager, it "talks" to "clients" in remote sites and asks them to do things like display the contents of a file system, execute a certain command, send a message, restart the client, etc. (tried asking on the application support forum - didn't get too far) All other applications and services do not seem to be affected, and it's a whole lot of them: active directory, RDS, vSphere/vCenter/ESXis, file transfers, etc. When Meraki firewall is temporarily dropped, the errors and the issues go away. See nothing in Meraki logs, and nothing in its firewall or other configuration that could be causing this. The issue started around February 2024, and so far we could not quite correlate it with any configuration changes or other events. The application appears to be using N Software Secure Black Box application libraries for those TLS connections. N Software does have a KB article describing the issue (thanks @alemabrahao!) - yet it doesn't explain why would cert validation work w/o Meraki, and stop working with it. I am not sure which TLS certificate is failing validation by the application. Is there a good way to figure this out? Is it Meraki's, or the the application's? Is it that Meraki firewall is dropping (very) specific TLS packets that result in failed validation? Anything to do with TLS version and Meraki not supporting some of the older, vulnerable ones? (There is this: "FAQ: Meraki Authentication to Require TLS 1.2 or Later Version" - yet it affects wireless devices only, it seems, and the devices in question are all on a wired network.) I am not the network admin - more of a generalist - but do have read-only access to our Meraki systems. Thanks for any ideas! P.S. If no specific root cause comes to mind, would love for you to try and assist me in isolation and troubleshooting: Is there an easy way to see which certificate fails to get validated? Is there an easy way to see which TLS version is being used by the application?
... View more
Labels:
- Labels:
-
Firewall
Apr 19 2023
12:16 PM
What I was looking for was something like this: Go to the Meraki dashboard for the site where the target host is located. (Not needed for single site configurations, required for multi-site ones.) Go to "Network-wide" - "Event Log", choose "for security appliances" at the top: In "client" field, put a MAC address belonging to the host at issue. Hit "search", see what comes up. In our case, this pointed to the root cause: misconfigured "content filtering" rules (or their misbehavior - I still can't wrap my mind around why they are behaving the way they are). Bottom line, for people who aren't too deep into networking or not too familiar with Cisco and Meraki, a little hand-holding goes a long way while RTFM links rarely work. Hope this helps someone else in a similar situation.
... View more
Apr 19 2023
11:45 AM
When searching event logs for "security appliances" and filtering them by the target MAC addresses (thanks @alemabrahao), we see events such as: Apr 19 11:16:14 <MAC address> Content filtering blocked URL url https://localhost.localdomain/..., server <IP address>:54664, category User-defined Blacklist ... which somewhat explains the blocking. (Why "somewhat": other ESXis don't seem to be blocked despite having the same configuration including the "localhost.localdomain" part.) Per our network admin, group policies have been set up a long time ago by a vendor and likely need to be revisited and reconfigured. Adding needed IPs to the "allow list" clearing the blocking - so looks like we're good for now. Thanks!
... View more
Apr 19 2023
10:47 AM
Thanks. I could really use some hand-holding here... (Asking specific questions and hoping for specific answers as opposed to RTFM links.) Re: event logs. Does this sound right? no free form text search, e.g. "give me all the events for this source or target IP"? (It needs to be IPs and not MACs because the blocking has been confirmed to be IP-based.) ("download as" only exports the current page, with no way to export all events for further analytics or free form text search?) In the case where a connection is dropped from some IPs but not others involving multiple switches, how would one search for relevant events? (Please be as specific as possible. Please no RTFM links.) (Say, my desktop's IP is A.B.C.1 and the connection to the target IP:port is dropped. If I change it to A.B.C.2, the connection is not dropped. What is the likeliest culprit in the Meraki universe and how would I search for relevant events, specifically?) Thanks!
... View more
Apr 19 2023
9:16 AM
Hi all, New to Cisco and Meraki, started a sysadmin job a bit over a month ago that is heavy on networking - not something I've been exposed to before. Have a peculiar problem that we can't yet figure out - hope you can point me in the right direction. We have a VMware ESXi server on the network that most of the other computers on the network cannot access where the connection is immediately dropped with "The connection was reset", "ERR_CONNECTION_RESET" to port 443 on the target. (Pinging and SSH-ing into it - works fine. It's just port 443.) Dozens of other ESXi hosts on the network with identical network configuration - have no issues. Just this one. Question: on a network where all switchgear is Meraki (MS225-48FP, MS250-48FP, MX100-HW, MS220-8-HW, MX64, etc.), how do we figure out where that connection is dropped, i.e. which device and which policy? Some context: Only port 443 (i.e. https://<IP address>) appears to be affected. ICMP, SSH (port 22) - work fine from the same machine that cannot access port 443 on the target. Some hosts on the network - can access port 443 on the target, and some (most) - can't. Changing the target IP address (in case there's a policy selectively blocking that IP from various parts of the network) didn't help. Changing the ports on the switch to which the target is wired (in case the ports are misconfigured or have a blocking policy we somehow can't see) - didn't help. Resetting the network configuration on the ESXi (via "reset to factory defaults" and then setting the static IP, gateway, etc. to what they were before) - didn't help, same exact behavior. My usual MO in a case like this would be put the host in a known good subnet and test there. I haven't yet tried it as this requires some help from my fellow IT people - yet my hunch is that the box itself is fine and the issue is outside of it - likely in the switch or other network configuration. We have dozens of identical ESXi hosts on identical hardware connected to identical switches with identical policies - and they all have no connectivity issues. There is even an identical ESXi host physically right next to the problematic one, on the same subnet, wired to the same switch, with an identical DNS and network configuration (with the exception of the actual IP address, of course) - no issues. The problem is quite critical: our VCSA (vCenter appliance) can't connect to the ESXi host over port 443, and thus it's effectively offline. Per my IT team, the problem has existed for a while. They had other things to work on, and I was basically handed this issue knowing very little about the network configuration, what can cause such an issue, and how to troubleshoot it. I.e. "here is an issue; go fix it". Tools available to me: Meraki dashboard with read-only access to the entire network configuration including individual ports. I can ask my network admins to make changes (but can't make them myself). Physical access to the rack where the hardware is located. Questions: Where in Meraki dashboard could I see events, log entries indicating a connection to port 443 on the target was dropped (if one of the Meraki devices or policies is responsible for it)? If this is the right question to ask, would you be willing to help me craft the right search criteria to ID those events? What are the usual best practices in troubleshooting this type of an issue? What are the usual tools used to pinpoint which device or policy is responsible for dropping a network connection to a known good target? E.g. I am trying to access port 443 on a specific IP from my desktop, there are 4 switches in-between, the connection is not working (dropped). If I connect directly to the target (with a crossover cable or something) - it's fine. How do I figure out where on the network the connection is dropped, i.e. what is responsible for dropping it? (trace route, ICMP, SSH indicate no issues in the network connection) If none of the above questions is the right one to ask, what would be the right question(s)? 🙂 Thank you!
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 223 | 2 weeks ago | |
| 665 | Mar 28 2024 4:44 PM |
My Top Kudoed Posts
© 2024 Cisco Systems, Inc.
