Dashboard Alerts - Configuration Issues
Overview
These are the Configuration Issues alerts, their triggers, and troubleshooting steps indicated by the alerts. Please refer to the Alerts article to learn more.
Misconfigured DNS
Triggers
Meraki devices rely on DNS to resolve dashboard URLs. If a device reports issues with its DNS configuration, typically the device is not receiving responses to DNS requests. This alert may also be phrased as "DNS is Misconfigured."
Troubleshooting Steps
To find the source of the issue, check:
- Firewall rules blocking traffic to or from the DNS servers being used or traffic to UDP port 53.
- Routing traffic to or from the DNS servers.
- Invalid responses back from the DNS server.
- Take a packet capture on an upstream device to see what traffic the device is sending and receiving.
- For larger networks, filter for the device's IP address or MAC address and download the .pcap file.
If there are no firewall rules blocking DNS traffic and there aren't issues with routing traffic, try working around the issue by changing the DNS servers to a working public resolver on the DHCP server. Have the Meraki devices request another IP or set the IP manually, and set the DNS servers to a known working public resolver.
Uplink IP Address in Conflict with Another Device
Triggers
This alert means that another device in the network is also using the same IP address as the Meraki device.
Troubleshooting Steps
To resolve this problem, ensure all devices have unique IP addresses in a network. The Network-wide > Monitor > Clients list may help pinpoint the duplicate IP addresses in use:
- Open the clients list by navigating to the client page Network-wide > Monitor > Clients.
- Find a client with an IP address that matches the one shown in the alert.
Both devices—the device showing the alert and the other device using the same IP address—will struggle to reach the internet until this problem is resolved.
Bad IP Assignment Configuration
Triggers
This alert means a bad static IP or an incorrect VLAN tag with DHCP is being assigned to the Meraki device. Typically, network hardware will simply not work if you assign a bad IP address to it. Meraki devices, however, will automatically switch back to DHCP (automatic IP assignment) so that it can check in to the cloud and alert you about the problem if at all possible.
Troubleshooting Steps
- Make sure that the Gateway you have entered is correct and online.
- If the device has had a working static IP, make sure the IP address is still valid.
- Verify if the IP, Subnet mask and Gateway are correct for the subnet to which the AP is attached. Make sure there are no extra spaces in your settings (including leading, trailing, or between characters).
- The Primary DNS is valid and reachable (we recommend using Google Public DNS at 8.8.8.8 and 8.8.4.4).
- Check if the wrong VLAN tag is used for DHCP.
- Check the local status page - often times the local status page gives more detailed error output to help resolve the problems during troubleshooting.
- Perform packet captures to confirm ARP requests are replied to, from the upstream gateway.
- Reboot the hardware - sometimes the MAC address for the internet port can get stuck on network hardware and clear out after a set period of time. Rebooting network equipment helps speed up this process.
- Switch to DHCP. The error message will only be displayed if the Meraki device has found another working IP address. If you switch the IP assignment to DHCP instead of static IP, the device will use the current addressing. The error will go away over time. You should only specify a VLAN tag if you know what it should be.
Device(s) VLAN Mismatch
Triggers
A management VLAN mismatch triggers this alert. This is when there is a mismatch between operational, configured, and global management VLAN ID (see Switch Settings). This alert may also be phrased as "The device is using a DHCP IP address from VLAN X instead of using configured VLAN Y."
Troubleshooting Steps
- Make sure the device is not using a VLAN different from what is configured for its management interface.
- Make sure the device management VLAN is not configured with a different VLAN from what is configured under Switching > Configure > Switch settings. For more information, refer to Switch Settings.
Port(s) VLAN Mismatch
Triggers
This feature utilizes Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) packets from the past 3 hours to determine which switch ports are connected. If any two connected switch ports belonging to Meraki switches are in the same dashboard organization, the switch port VLAN configurations are compared.
Usually, a VLAN mismatch occurs:
- After connecting a switch that is not pre-configured to the existing Meraki switch infrastructure.
- When a network administrator changes the port VLAN settings.
If any mismatch is found in native, allowed, or access VLANs, both switches will display device-level alerts in the dashboard. The switches will continue displaying the alert until the VLAN mismatch is resolved. The alert hub will display only one alert for VLAN mismatch between two switches.
Currently, VLAN mismatch detection is supported on Meraki switches in the same organization. VLAN mismatch detection is not supported for other Meraki devices (MR, MX, and others) and non-Meraki devices.
Troubleshooting Steps
Make sure both ports allow the same VLANs. Refer to VLAN Mismatch Alerts for Meraki Switches to learn more about how to correct a VLAN mismatch error.
Guided Troubleshooting Flow
VLAN mismatch troubleshooting flow reduces time to resolution for our customers by easing manual tasks, simplifying the configuration process, and dynamically detecting errors.
Easing Manual Tasks
Guided VLAN mismatch troubleshooting flow displays switches' current configuration and allows administrators to fix the issue from the troubleshooting panel without needing to navigate to different pages on the dashboard.
Simplifying the Configuration Process
This feature allows configuring all the settings on the alert hub and in some cases, the feature also displays suggested configurations derived from the configuration of the two switches alerting on VLAN mismatch. Users can apply these suggested settings by selecting the Accept suggestion button.
Note: Suggested configurations account for safety and security to make sure the suggested configuration does not cause any disruption for connected devices after applying it. Carefully review the suggestions and make sure it meets your organization’s security requirements.
Dynamic Error Detection
The feature auto detects and warns users if the new configuration is incorrect before saving the new configuration on the widget. The warnings make issue resolution more intuitive.
The logic behind VLAN mismatch troubleshooting flow suggested fix:
Outdated/Unreachable Configuration
Triggers
When a configuration change is made in the dashboard, but the Meraki device can't download that change. This alert may also be phrased as "Configuration is out of date".
Troubleshooting Steps
Before contacting support, try these options:
- Give the alert at least 5 minutes to resolve naturally. In this time, check to see if any changes to the network are taking hold. For example, change the password on an SSID and see if a phone can associate with the new password (refer to Access Control).
- Try rebooting the device. In some cases, this can resolve a configuration fetch issue.
- If possible, try a different connection to the internet to rule out an upstream network problem.
If the above fails, open a support case for further assistance.
Regulatory Domain Mismatch
Triggers
Access points have their regulatory body set when they are ordered. As an example, an access point (AP) purchased in the US will have the regulatory domain of the Federal Communications Commission (FCC), dictating which channels can be used on the device.
Troubleshooting Steps
- Be sure the public IP and the order region of the access point match. Check if the management traffic uses a VPN to another country. As a test, avoid using that VPN and see if the problem is resolved.
- If the above options are not possible, contact support to begin an investigation on the next steps.
Country/Region Mismatch
Triggers
Refer to the "Using Geo-IP to Automatically Update Regulatory Domain" section of MR Regulatory Domains (Legacy Version).
Troubleshooting Steps
Refer to the "Using Geo-IP to Automatically Update Regulatory Domain" section of MR Regulatory Domains (Legacy Version).
Country Detection Mismatch
Triggers
Refer to the "Using Geo-IP to Automatically Update Regulatory Domain" section of MR Regulatory Domains (Legacy Version).
Troubleshooting Steps
Refer to the "Using Geo-IP to Automatically Update Regulatory Domain" section of MR Regulatory Domains (Legacy Version).
Manual Country Mismatch
Triggers
Refer to the "Using Geo-IP to Automatically Update Regulatory Domain" section of MR Regulatory Domains (Legacy Version).
Troubleshooting Steps
Refer to the "Using Geo-IP to Automatically Update Regulatory Domain" section of MR Regulatory Domains (Legacy Version).
Switch Received High OSPF Routes
Triggers
The count of dynamically learned routes crosses the limit a switch can support.
Troubleshooting Steps
Make sure the count of routes advertised by the Open Shortest Path First (OSPF) neighbors is within the limit of the Cisco Meraki switch. For more information on the number of routes supported by Cisco Meraki switches, refer to the "Supported Models "section of MS Layer 3 Switching and Routing.
Misconfigured Switch
Triggers
A switch is part of a stack configuration, but that stack configuration does not match what is actually physically connected.
Troubleshooting Steps
If the dashboard stack configuration is correct, make sure the physical stack setup matches the dashboard configuration and vice versa. Refer to Managing Stack Members and Physical Switch Stack Configuration Steps.
Unconfigured Switch
Triggers
A switch has been physically made part of a stack, but the stack has not been configured in the dashboard.
Troubleshooting Steps
If the physical stack is correct, make sure the dashboard stack configuration matches the physical setup (see Switch Stacks).
Switch Not Connected to Stack
Triggers
A switch is part of a stack configuration but is not physically part of the stack.
Troubleshooting Steps
Make sure the physical stack matches the dashboard stack configuration (see Switch Stacks).
AFC Missing Height Configuration
Triggers
The height information is missing in the AFC database where an AP is installed. This information is needed as the criteria for higher transmit power limits are heavily dependent on the location of the APs and it will be a requirement for the APs to check in to the database with their location.
Troubleshooting Steps
Complete missing height information.
AFC Request or Response Unsuccessful
Triggers
Attempts to request information from the AFC database were unsuccessful or a response was not received. If an AP is not able to check in with the AFC database, it will default to using low-power mode transmit power thus limiting the coverage from the AP.
Troubleshooting Steps
Check the AP communication to gateway and check other APs to ensure it is not widespread problem.
Unable to Fetch Configuration
Triggers
Refer to Meraki Cloud Communication Issues.
Cannot Connect to the Device via SSH or NETCONF
Triggers
This is a Cloud Management - Hybrid Mode error.
The triggers can be:
- Dashbboard is unable to perform NETCONF operations on the device through the Meraki tunnel, and the Meraki tunnel interfaces are UP
- Dashbboard is unable to access the device via SSH through the Meraki tunnel, and the Meraki tunnel interfaces are UP.
Troubleshooting Steps
Contact Meraki support for further troubleshooting.
Device Firmware Mismatch
Triggers
When software updates (or firmware upgrades) occur, not all of them go smoothly. If a device fails to upgrade, the dashboard will notice the difference in the version set for the device versus the version that is actually installed and running.
Troubleshooting Steps
- Wait 30 minutes. Sometimes a firmware download can take a while on a slow connection, and if it fails when the speeds are low it can take even longer.
- Reboot the hardware. This will reset any wait period before trying the software update again.
- If waiting and rebooting the hardware do not resolve the error message, contact support in the app by opening a case.
Host Overflow
Triggers
If the current number of routed clients exceeds the maximum routable client limit for the specific switch model.
Troubleshooting Steps
Refer to MS Switch FAQ for details on the maximum routable clients limit per switch model.
Line VTY Configuration Issue
Triggers
This is a Cloud Management - Hybrid Mode error.
The device must have 4 unused consecutive VTY slots. These VTY lines will be provisioned and secured for only the dashboard to access the device on these lines.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
SISF Based Device Tracking Not Enabled
Triggers
SISF-based device tracking is disabled by default.
Troubleshooting Steps
You can enable it by defining a device tracking policy and attaching the policy to a specific target. Refer to Configure SISF-Based Device Tracking.
Safe Mode Active
Triggers
When the “Enable Safe Mode” option is enabled on the local status page.
Troubleshooting Steps
This feature is used to help enable troubleshooting the device and should be turned off when finished.
Missing Config Options
Triggers
The system is currently blocking serving the bad config to this device. Missing required fields for a proper config.
Troubleshooting Steps
Check and validate all required port config fields.
Device is Running an Unsupported Firmware Version
Triggers
Device is running a firmware version that is no longer supported.
Troubleshooting Steps
Update firmware to a supported level.
Device's Gateway Mismatch
Triggers
When a device’s gateway does not match the majority of other devices on the network.
Troubleshooting Steps
Check and validate gateways settings.
Radar Detected
Triggers
This is a DFS event and it has detected RADAR in the environment.
Troubleshooting Steps
DFS should hop off the channel and select a non radar sharing channel. You can also manually exclude those channels identified so as not to have an issue in the future.
Unknown Config Options
Triggers
These errors will appear as an alert on the device (just like invalid config).
Troubleshooting Steps
The details of the error will indicate which fields were not in the config inventory.
VLAN Prefix Shortage Occurred
Triggers
When Prefix Starvation occurs, which is when the MX detects it does not have enough prefixes from a given WAN or manual configuration to assign a /64 prefix to each IPv6 enabled VLAN.
Troubleshooting Steps
Check and validate IPv6 settings.
MX is Over Recommended Tunnels
Triggers
More tunnels have been defined than is recommended for the model.
Apple MDM APNS Certificate May Have Expired
Triggers
Apple MDM certificate needs attention.
Troubleshooting Steps
- Download Meraki CSR file from Organization > MDM page.
- Log in to Apple's Push Notification Portal with the same Apple ID used to create the current push certificate.
Note: If the Apple ID is not known, review "I Forgot Which Apple ID was Originally Used." Not using the original Apple ID (and therefore the original Apple Push certificate) would result in losing management of the previously enrolled devices. - Find the expiring certificate, and select Renew (do not revoke expiring certificate, nor create a new certificate).
- Upload CSR downloaded as per Step 1.
- Download renewed certificate from Apple, and upload into Dashboard.
- Enter/Confirm Apple ID used to log-in to Apple's push notification portal (highly recommended).
Apple MDM APNS Certificate Has Expired
Triggers
Apple MDM certificate needs attention.
Troubleshooting Steps
- Download Meraki CSR file from Organization > MDM page.
- Log in to Apple's Push Notification Portal with the same Apple ID used to create the current push certificate.
Note: If the Apple ID is not known, review "I Forgot Which Apple ID was Originally Used." Not using the original Apple ID (and therefore the original Apple Push certificate) would result in losing management of the previously enrolled devices. - Find the expiring certificate, and select Renew (do not revoke expiring certificate, nor create a new certificate).
- Upload CSR downloaded as per Step 1.
- Download renewed certificate from Apple, and upload into Dashboard.
- Enter/Confirm Apple ID used to log-in to Apple's push notification portal (highly recommended).
Apple MDM APNS Certificate Will Expire Soon
Triggers
Apple MDM certificate needs attention.
Troubleshooting Steps
- Download Meraki CSR file from Organization > MDM page.
- Log in to Apple's Push Notification Portal with the same Apple ID used to create the current push certificate.
Note: If the Apple ID is not known, review "I Forgot Which Apple ID was Originally Used." Not using the original Apple ID (and therefore the original Apple Push certificate) would result in losing management of the previously enrolled devices. - Find the expiring certificate, and select Renew (do not revoke expiring certificate, nor create a new certificate).
- Upload CSR downloaded as per Step 1.
- Download renewed certificate from Apple, and upload into Dashboard.
- Enter/Confirm Apple ID used to log-in to Apple's push notification portal (highly recommended).
No IMEI Detected
Triggers
During enrollments or re-enrollments, Systems Manager uses a variety of uniquely identifying values from clients to attempt to determine a device's hardware identity for pairing against it's Systems Manager identity. On mobile devices, this is usually the IMEI (International Mobile station Equipment Identity). This alert triggers when a device’s IMEI cannot be detected.
Troubleshooting Steps
It's recommended to contact the manufacturer or reseller of the device, as a missing IMEI will impact the device's ability to connect to the cellular grid.
Duplicate IMEI Detected
Triggers
If Dashboard detects a collision of these values for enrolled or enrolling devices, an alert may be displayed with a link to filter the clients list down to those devices which are suspected. These values are important for both SM and other software; on mobile devices, these values can affect the device's ability to connect to the cellular grid.
No Device Identifier Detected
Triggers
During enrollments or re-enrollments, Systems Manager uses a variety of uniquely identifying values from clients to attempt to determine a device's hardware identity for pairing against it's Systems Manager identity. On desktop machines, this is usually the BIOS UUID (Universally Unique Identifier). On mobile devices, this is usually the IMEI (International Mobile station Equipment Identity). This alert triggers when a device’s UUID or IMEI cannot be detected.
Troubleshooting Steps
It's recommended to contact the manufacturer or reseller of the device, as a missing IMEI or UUID will impact the device's ability to connect to the cellular grid.
Duplicate Device Identifier Detected
Triggers
If Dashboard detects a collision of these values for enrolled or enrolling devices, an alert may be displayed with a link to filter the clients list down to those devices which are suspected. These values are important for both SM and other software; on mobile devices, these values can affect the device's ability to connect to the cellular grid.
Endpoint Management - Enrollment Auth Disabled
Triggers
Enrollment authentication is disabled.
Bad Enable Password
Triggers
This is a Cloud Management - Hybrid Mode error.
If dashboard is unable to access the device's cloud console during the initial onboarding process, this may be due to the username, password or enable password provided during onboarding cannot authenticate to the device.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
No 4 Consecutive VTY on the Device
Triggers
This is a Cloud Management - Hybrid Mode error.
The device must have 4 unused consecutive VTY slots. These VTY lines will be provisioned and secured for only the dashboard to access the device on these lines.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
Configuration Error
Triggers
This is a Cloud Management - Hybrid Mode error.
The configuration for the device is out of date.
Troubleshooting Steps
Contact Meraki support for further troubleshooting.
Cloud is Not Able to Login to Device via Cloud Console
Triggers
This is a Cloud Management - Hybrid Mode error.
If dashboard is unable to access the device's cloud console during the initial onboarding process, this may be due to the username, password or enable password provided during onboarding cannot authenticate to the device.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
Wrong Console Credentials
Triggers
This is a Cloud Management - Hybrid Mode error.
If dashboard is unable to access the device's cloud console during the initial onboarding process, this may be due to the username, password or enable password provided during onboarding cannot authenticate to the device.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
SSH Error Authentication
Triggers
This is a Cloud Management - Hybrid Mode error.
Dashboard is unable authenticate SSH with the device using the dashboard provisioned device local meraki-user account.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
Console Error Connection
Triggers
This is a Cloud Management - Hybrid Mode error.
Dashboard is unable to connect to the device's cloud console through the Meraki tunnel, and the Meraki tunnel interfaces are UP.
Troubleshooting Steps
Contact Meraki support for further troubleshooting.
SSH Error Connection
Triggers
This is a Cloud Management - Hybrid Mode error.
Dashboard is unable to access the device via SSH through the Meraki tunnel, and the Meraki tunnel interfaces are UP.
Troubleshooting Steps
Contact Meraki support for further troubleshooting.
NETCONF Error Connection
Triggers
This is a Cloud Management - Hybrid Mode error.
Dashboard is unable to perform NETCONF operations on the device through the Meraki tunnel, and the Meraki tunnel interfaces are UP.
Troubleshooting Steps
Contact Meraki support for further troubleshooting.
Console Error Authorization
Triggers
This is a Cloud Management - Hybrid Mode error.
To complete the onboarding configuration with the cloud console, the username provided during onboarding must have authorization for all the required onboarding configuration commands.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
SSH Error Authorization
Triggers
This is a Cloud Management - Hybrid Mode error.
Dashboard is unable authorize commands via SSH with the device using the dashboard provisioned device local meraki-user account. AAA settings on the device must permit the meraki-user account to authorize the commands used for onboarding.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
AAA New-Model Not Enabled
Triggers
This is a Cloud Management - Hybrid Mode error.
The device must use AAA new-model for device access control. This mode allows the dashboard to securely access the device.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
SSH Encryption Algorithms Not Supported
Triggers
This is a Cloud Management - Hybrid Mode error.
The following SSH encryption algorithms are supported by the dashboard:
- aes128-gcm@openssh.com
- aes256-gcm@openssh.com
- aes128-ctr
- aes192-ctr
- aes256-ctr
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
IPv6 ACL Conflicts in HTTP Server
Triggers
This is a Cloud Management - Hybrid Mode error.
Dashboard utilizes the HTTP secure server interface to read telemetry data from device. If your HTTP services are restricted by an IPv6 access control list, you must update the ACL to permit access from the Meraki tunnel interface subnet FD0A:9B09:1F7:1::/64.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
SSH Port or Rotary Conflicts with Cloud
Triggers
This is a Cloud Management - Hybrid Mode error.
Dashboard must provision the following command on the device in order to set the 4 configured VTY lines to be access able on port 2222.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
AAA Authorization Conflicts in NETCONF
Triggers
This is a Cloud Management - Hybrid Mode error.
During onboarding, dashboard will check the device AAA default authorization method list begins with 'local.'
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
User 'meraki-tdluser' Exists on Device
Triggers
This is a Cloud Management - Hybrid Mode error.
If you have previously added and then removed your device from dashboard and the dashboard provisioned usernames were not removed from the configuration, dashboard will fail to configure these usernames if they already exist in the configuration.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
User 'meraki-user' Exists on Device
Triggers
This is a Cloud Management - Hybrid Mode error.
If you have previously added and then removed your device from dashboard and the dashboard provisioned usernames were not removed from the configuration, dashboard will fail to configure these usernames if they already exist in the configuration.
Troubleshooting Steps
Refer to Troubleshooting Dashboard Connectivity to Catalyst 9800 Wireless Controllers to learn how to remediate this error.
NETCONF Error Authorization
Triggers
This is a Cloud Management - Hybrid Mode error.
Dashboard is unable to authorize NETCONF with the device using the dashboard provisioned device local meraki-user account. AAA settings on the device must permit the meraki-user account to authorize. Additional information may be available in the device log (show log). Verify there are no NETCONF aaa authorization conflicts.
Troubleshooting Steps
Contact Meraki support for further troubleshooting.
Organization Self Signed SCEP Certificate Has Expired
Triggers
The certificate is no longer valid.
Troubleshooting Steps
To renew your Self Signed SCEP CA Certificate, you will simply need to download the CSR file available on the dashboard under Organization > MDM > SCEP CA Certificate Configuration. Once downloaded, you can sign the certificate with your Certificate Authority and re-upload it to the Dashboard. You will see an alert on Dashboard to renew your custom Third Party Signed SCEP cert if it is set to expire soon.
Refer to MDM Settings.
Organization Self Signed SCEP Certificate Will Expire Soon
Triggers
The certificate will expire soon.
Troubleshooting Steps
To renew your Self Signed SCEP CA Certificate, you will simply need to download the CSR file available on the dashboard under Organization > MDM > SCEP CA Certificate Configuration. Once downloaded, you can sign the certificate with your Certificate Authority and re-upload it to the Dashboard.
Refer to MDM Settings.
IOS XE configuration out of sync
Triggers
One or more dashboard required IOS XE configurations are missing. Dashboard will provision these configurations when IOS XE hybrid mode switch is added to a network. These configurations are required to allow the dashboard to enable Cloud-Managed Catalyst hybrid mode switches and will need to be re-applied for dashboard management.
Troubleshooting Steps
Update IOS XE with the following configurations based on the missing configuration alert.
- Access Control Lists (ACLs) for Meraki Cloud Access
ip access-list standard MERAKI_MGMT_IP_IN
20 deny any
ip access-list extended MERAKI_MGMT_IP_OUT
20 deny tcp any any
ipv6 access-list MERAKI_MGMT_IPV6_IN
sequence 10 permit tcp FD0A:9B09:1F7:1::/64 FD0A:9B09:1F7:1::/64 eq 2222
sequence 20 deny tcp any any
ipv6 access-list MERAKI_MGMT_IPV6_OUT
sequence 20 deny tcp any any
- Configuration change notification and logging for Cloud CLI
archive
log config
logging enable
notify syslog contenttype xml
- Device tracking policy on ports for client tracking
device-tracking policy MERAKI_ACCESS_TRACK
limit address-count 1000
security-level glean
tracking enable
device-tracking policy MERAKI_NO_TRACK
trusted-port
security-level glean
no protocol ndp
no protocol dhcp6
no protocol arp
no protocol dhcp4
device-tracking policy MERAKI_TRUNK_TRACK
limit address-count 32000
security-level glean
- EEM policy for Cloud CLI
event manager applet MERAKI_SHOW_RUN_EXEC
event cli pattern "show running-config" sync yes
action 1.0 if $_cli_username eq meraki-cli-ro
action 1.1 cli command enable
action 1.2 cli command $_cli_msg
action 1.3 puts $_cli_result
action 1.4 set _exit_status 0
action 2.0 else
action 2.1 set _exit_status 1
action 3.0 end
- ip flow exporter for client tracking
flow file-export default
file max-create-interval 5
file max-count 2
flow exporter MERAKI_TA1
destination local file-export default
export-protocol ipfix
option interface-table timeout 300
- ip flow exporter for traffic analysis
flow file-export default
file max-create-interval 5
file max-count 2
flow exporter MERAKI_TA2
destination local file-export default
export-protocol ipfix
option interface-table timeout 300
- ip flow monitor for client tracking
flow monitor MERAKI_TA1_V4_IN
exporter MERAKI_TA1
cache timeout inactive 300
cache timeout active 300
record MERAKI_TA1_V4_IN
flow monitor MERAKI_TA1_V4_OUT
exporter MERAKI_TA1
cache timeout inactive 300
cache timeout active 300
record MERAKI_TA1_V4_OUT
- ip flow monitor for traffic analysis
flow monitor MERAKI_TA2_IPV4
exporter MERAKI_TA2
cache timeout inactive 300
cache timeout active 300
cache entries 65536
record MERAKI_TA2_HTTP_SSL_IPV4
- ip flow record for client tracking
flow record MERAKI_TA1_V4_IN
description meraki_ta1_ingress
match application name
match interface input
match ipv4 source address
collect counter bytes long
collect counter packets long
collect datalink dot1q vlan input
collect datalink mac source address input
collect flow direction
flow record MERAKI_TA1_V4_OUT
description meraki_ta1_egress
match application name
match interface output
match ipv4 destination address
collect counter bytes long
collect counter packets long
collect datalink dot1q vlan output
collect datalink mac destination address output
collect flow direction
- ip flow record for traffic analysis
flow record MERAKI_TA2_HTTP_SSL_IPV4
match application name
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match flow observation point
match ipv4 protocol
match ipv4 version
collect connection client counter bytes network long
collect connection client counter packets long
collect connection initiator
collect connection new-connections
collect connection server counter bytes network long
collect connection server counter packets long
collect flow direction
collect interface input
collect interface output
collect timestamp absolute first
collect timestamp absolute last
- HTTP server configuration
ip http secure-server
! Only apply the config when there is not any authentication config for http server
ip http authentication local
! Only apply the config when there is HTTP ACL rule for IPV4(The IPV4 rule blocks IPV6 traffic. It is a device bug.)
ip http access-class ipv6 MERAKI_MGMT_IPV6_IN
- device tracking policy on interfaces [xxx, xxx]
interface xxx
device-tracking attach-policy MERAKI_ACCESS_TRACK
- ip flow monitor on interfaces [xxx, xxx]
interface xxx
ip flow monitor MERAKI_TA1_V4_IN input
ip flow monitor MERAKI_TA1_V4_OUT input
- default IPv6 route with distance 2 for Meraki tunnel
ipv6 unicast-routing
- Global LLDP configuration for neighbor information
lldp run
- Telemetry subscription and receiver configurations for event logs
telemetry ietf subscription 10000
encoding encode-tdl
filter tdl-uri /services;serviceName=stkm_oper/stack_info
receiver-type pullmode
source-vrf Mgmt-vrf
stream native
update-policy periodic 6000
receiver name meraki_stack_info
telemetry ietf subscription 10002
encoding encode-tdl
filter tdl-uri /services;serviceName=iosevent/syslog_msg
receiver-type pullmode
stream native
update-policy on-change
receiver name meraki_syslog_msg
telemetry receiver pullmode meraki_stack_info
size 1000000
telemetry receiver pullmode meraki_syslog_msg
size 50000000
- Local users (meraki-cli-ro or merakicli-rw) for Cloud CLI
username meraki-cli-ro view MERAKI-MONITOR secret 9 xxx
username meraki-cli-rw privilege 15 view MERAKI-CONFIG secret 9 xxx
ip ssh pubkey-chain
username meraki-cli-ro
key-hash {KEY_HASH}
username meraki-cli-rw
key-hash {KEY_HASH}
Contact Meraki support if the IP SSH key configuration needs to be configured on your IOS XE device.
parser view MERAKI-CONFIG inclusive
secret 9 xxx
commands configure exclude all parser
commands configure exclude all archive
commands configure exclude all ntp
commands configure exclude all timezone
commands configure exclude all clock
commands exec exclude all clock
commands exec exclude all show memory
commands exec exclude all show tech-support
parser view MERAKI-MONITOR
secret 9 xxx
commands exec include traceroute
commands exec include ping
commands exec include terminal width
commands exec include terminal length
commands exec include terminal
commands exec exclude all show memory
commands exec exclude all show tech-support
commands exec include all show
- Syslog SNMP traps for event logs
logging snmp-trap 0 4
logging history informational
snmp-server enable traps syslog
- SNMP traps for config change notification
Contact Meraki support for this configuration to be re-applied.
- Log level configuration for syslog-events
logging syslog-events informational
vMX Incompatible Firmware
Triggers
A vMX that is running 'on-prem' on a Cisco Enterprise Network Function Virtualization Infrastructure Software (NFVIS) appliance and has it's network firmware set to a version of MX firmware below MX 19.2.
Troubleshooting Steps
Upgrade the configured network firmware version to be above MX 19.2 on the Organization > Firmware Upgrades page.