@MerakiDave wrote: To expand the wireless coverage, I would turn off the wireless on the MX-W and deploy a pair of APs.  I would not recommend adding an AP to an MX-W network, that would give you a split wireless configuration, it would be like managing two separate wireless networks, one via the MX-W and the other on the AP, so better to simply use 2 APs.   Yeeeep, I have clients who refuse to buy an additional AP, so 2/3 of their office is on actual APs, 1/3 is on the MX-W's SSID.   Then they complain about bad performance when, say, walking around the office, because it's two wireless networks that they transition between. It's a bad scene! Either MX + APs, or if you have to, an MX-W. Not both. ... View more

If you've reached a point where you need a pair of firewalls, is there a specific reason why you wouldn't move to separate APs as well? From a performance aspect, I'd personally recommend separate AP(s) and disable SSIDs on the firewalls. The APs have much nicer wireless bells and whistles. ... View more

I've run into a problem recently where some ISPs (mostly cable) have done something to their ISP-provided equipment, and it prevents the IPSEC tunnel from forming. Mediacom is my local culprit, and their only fix offered is "buy your own router w cable modem". Same behavior you describe: Cellphone hotspot or other separate connection, VPN works. On the cable internet, VPN does not work, returns 789.   Have you reached out to your ISP and asked pointed questions?  ... View more

@PhilipDAth wrote: I quite like using wired 802.1x.   Then you can simply search by username. Ugh yes please. My clients are not a fan of wired 802.1x sadly.   Love being able to search things by username. Not sure who that VPN client is? You can tell by user name. Wireless client on 802.1x? User name. ... View more

@BlakeRichardson wrote: @No_Traffic Just remember though keeping the dashboard up to date with devices names is a constant task not just a once off. Given that I work at an MSP We check on a monthly to quarterly basis to ensure that our bare minimum port names are accurate. I.E., uplink/downlink to network equipment. For only a few devices, it's very fast.   Now if you'll excuse me, I need to go do it on about 150 across a bunch of clients... I can't figure out how to automate it well when there's seven vendors' equipment and many clients with 4 devices! ... View more

@No_Traffic wrote: OK thanks everyone.   I do have a lot of the ports tagged (printers, WAPs) and the CEO, CFO, and receptionist desk and conference rooms.  I'm just trying to plan ahead when we start reopening the office and I need to troubleshoot connectivity and I'm at home in my pajamas.  🙂 Let me put it this way... if you're allowed to access the dashboard via a browser on your cellphone...   You can do a lot of troubleshooting without leaving bed, when everything's labeled well. The other way to set yourself up for success may involve roping in whomever manages your wires. If you've got a patch panel, label it and label your wall jacks to match. An accurate patch panel, some tagged and described switchports, named clients, and practice explaining? You can fix almost anything. ... View more

Oh yeah. @BlakeRichardson has some good stuff.   Name your clients if they don't have reliable names.   Name your ports. Absolutely name your uplinks and downlinks.  ... View more

I'm usually in a situation where my user doesn't have access to the switches and I'm 5-200 miles away. 🙂 My usual process is: 1. Find out the mac address if I can. 2. Check for that mac addr in the client list. 3. If mac addr exists, check client to see if a switchport is listed. 4. If no dice, proceed to... See if user can trace cable and get access to switches: 1. Look at diagram of how the front of the switch looks. Practice teaching someone how to identify the port number. 2. Label your switches somehow, so you and the user can say "port 14 on switch ATL-MO-5" and understand. 3. Ask client to try port num whatever. If switchport is not shutdown, tell you if blinkenlights appear. 4. Check switchport to see if you're seeing the client, on the dashboard. 5. Adjust switchport as necessary. 6. Check for client communication again. ... View more

Bit sideways to your actual question, but do you know the mac addresses of the printers? If you can find that out, you can check the clients on switch and find out which switchport the switch sees a given mac address on. ... View more

When you say Meraki-Meraki, do you mean two MX within the same organization using AutoVPN, or do you mean as third party VPN peers?   If you mean third party VPN, then it doesn't matter what model is at the other end of your tunnel.   Event-log wise, I'm only seeing single phase 2 negotiations on the tunnels I'm reviewing. Not like an ASA where you get a child policy for every subnet.   What are you trying to do? ... View more

Do keep in mind that any third party peer will need to include ALL of your subnets that participate in VPNs, in their "interesting traffic". You can restrict what they get access to via your site-to-site outbound firewall. ... View more

Can you validate the power injector and switchport combo with another device that's known-good? Make sure the injector actually passes data?   Edit: I'm 100% assuming you want this boi to have a wired data link. 🙂 If not, follow @MerakiDave 's excellent advice. ... View more

As @Netwow states, you do have to have an adv security license. (But my company ONLY sells MX with adv security.)   I'm broadly speaking not a fan of country-based blocking, even though we do it at a few financial customers because it makes their auditors happy. I don't think it's effective in a day and age where anyone can buy a prepaid credit card and spin something up at a cloud provider.   I do think it's effective at accidentally breaking things, especially in the case of some of Microsoft's IP space. Or just preventing access to useful things and increasing the risk of shadow IT. ... View more

If you want to use a script, I recommend Philip's generator.   I strongly recommend using a PowerShell script for Win10. I definitely recommend re-installing the VPN. When you get a 789 error, deletion/reinstall is usually the fastest fix.   Also see if your end user is on Windows 10 1909 or not. If she's not, schedule an upgrade. ... View more

@Kamome wrote: I have both vMX and On-premise MXs, and I can't find L7 rules for countries neither of them. Could you show about that more particular? For on-premises MX, Go to Security Appliance -> Firewall Scroll to L7 rules.  Click add rule Scroll to bottom of drop down box to find countries You can also update this using the MX l7 Firewall calls in the Dashboard API.   ... View more

@PhilipDAth wrote: I think I have spotted what it is.  The orgs I am getting 429's on seem to belong to ones with API access disabled.  Normally you get a 404 for an API disabled org.   I'm thinking that once you have had a recent 404 that if another org also returns a 404 it gets changed to a 429.   That's fascinating and weird. Thank you for the heads up. ... View more

I'm not asking for secret sauce. Looks like we cross-posted. I'd like the information more easily accessible. There's an entire document about PCI compliance for MR, for instance. ... View more

@MerakiDave @CameronMoody Could we get a formal KB article from Meraki explaining this aspect of AutoVPN, for handing to auditors who have questions? That blog article doesn't specifically mention Diffie-Hellman from what I can see, and the auditor check list usually asks about DH groups.   Or some clarity could be added to this KB article, as AutoVPN is contrasted to the third party tunnels w/o mention of DH. Not stating anything about DH groups is not the same as an explanation of why DH groups are not needed for AutoVPN, when dealing with auditors.   Thank you!   Edit 9:58 CDT: I am now full of questions. Page 5 of the AutoVPN white paper specifically mentions DH groups. Which is it, please? And could this please be clarified in a KB article? I cannot easily hand a white paper to an auditor without them getting, as it were, annoyed. It's my job to minimally annoy my clients' auditors. ... View more

Typically, support for devices is managed by your network monitoring vendor. For instance, I use Auvik. Auvik uses a combination of SNMP monitoring and a coded-by-them Meraki cloud integration to monitor our clients' Meraki equipment.   Have you reached out to Zabbix regarding this issue? ... View more

I'd be delighted to be wrong, but all I'm seeing is getNetworkMerakiAuthUsers (all users) and getNetworkMerakiAuthUser (one user at a time). Nothing to create users or delete them.   Creating and updating via API would solve a problem for me, so long as one could authorize for client VPN... My boss would go for a widget that my helpdesk could use. My boss will not go for SAML, for reasons. ... View more

The MX is a stateful firewall. See: https://meraki.cisco.com/products/appliances  There's not a "management console" as you would traditionally see. You will have accounts for the Meraki dashboard that have access to the organization/network. You can set a password for the local status page, which gives you SOME access to the device config but it's minimal. The Meraki dashboard is a website like any other. If you want to enforce TLS 1.2 or above, you'll need to set that on your computers that are accessing the dashboard. Unfortunately, as I understand it, we can't run the local status page over https - it's http only. Rec is disable local status page if you don't need it, when that's a problem. ... View more

Just here to bang the "follow the standards" drum too. Using the most specific path is so standard that I would not, frankly, ever expect to see a supernet given priority.   Not even a special supernet like the one used for templates. ... View more

@S_Ruffell_SBS wrote: Thanks for your reply @CptnCrnch . I feared this may be the answer and suspect that the only way to get VPN clients registered in DNS on the Win server may be to change to forwarding DHCP requests for VPN clients to the Win svr DHCP server. Was hoping to avoid this for other config reasons. I don't believe you can change what acts as the DHCP server for VPN clients.    See: ASA where AnyConnect has an ip pool that's defined on the device itself. ... View more