Hi all,
New to Cisco and Meraki, started a sysadmin job a bit over a month ago that is heavy on networking - not something I've been exposed to before. Have a peculiar problem that we can't yet figure out - hope you can point me in the right direction.
We have a VMware ESXi server on the network that most of the other computers on the network cannot access where the connection is immediately dropped with "The connection was reset", "ERR_CONNECTION_RESET" to port 443 on the target. (Pinging and SSH-ing into it - works fine. It's just port 443.) Dozens of other ESXi hosts on the network with identical network configuration - have no issues. Just this one.
Question: on a network where all switchgear is Meraki (MS225-48FP, MS250-48FP, MX100-HW, MS220-8-HW, MX64, etc.), how do we figure out where that connection is dropped, i.e. which device and which policy?
Some context:
Tools available to me:
Questions:
Thank you!
Solved! Go to solution.
On MS you can check here: https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_ACLs
On MX you can check here: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...
And about event logs you can check here: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_Event_Log
You can use a Packet capture tool for tshoot: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Packet_Capture_Overvi...
On MS you can check here: https://documentation.meraki.com/MS/Layer_3_Switching/Configuring_ACLs
On MX you can check here: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Using_Layer_3_Firewal...
And about event logs you can check here: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_Event_Log
You can use a Packet capture tool for tshoot: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Packet_Capture_Overvi...
Thanks. I could really use some hand-holding here... (Asking specific questions and hoping for specific answers as opposed to RTFM links.)
Re: event logs. Does this sound right?
Thanks!
We need more information, like a topology, who is the default gateway, etc.
My suggestion for you is to open a support case, Meraki team support will assist you better.
What I was looking for was something like this:
In our case, this pointed to the root cause: misconfigured "content filtering" rules (or their misbehavior - I still can't wrap my mind around why they are behaving the way they are).
Bottom line, for people who aren't too deep into networking or not too familiar with Cisco and Meraki, a little hand-holding goes a long way while RTFM links rarely work. Hope this helps someone else in a similar situation.
If your traffic does not pass an MX you won't be able to see if traffic was dropped.
If it does pass an MX you will have to use syslog and point your MX to that for it's flow logs and log all your deny rules to see what deny rule it matched.
When searching event logs for "security appliances" and filtering them by the target MAC addresses (thanks @alemabrahao), we see events such as:
Apr 19 11:16:14 <MAC address> Content filtering blocked URL url https://localhost.localdomain/..., server <IP address>:54664, category User-defined Blacklist
... which somewhat explains the blocking. (Why "somewhat": other ESXis don't seem to be blocked despite having the same configuration including the "localhost.localdomain" part.)
Per our network admin, group policies have been set up a long time ago by a vendor and likely need to be revisited and reconfigured.
Adding needed IPs to the "allow list" clearing the blocking - so looks like we're good for now.
Thanks!