Dashboard Alerts - Connectivity Issues
Click 日本語 for Japanese
Overview
This document list all the alerts available under Connectivity Issues alert category, their triggers, and troubleshooting steps. Please refer to Alerts article to learn more.
802.1X failure
Triggers
The "Recent 802.1X Failure" alert will be displayed if the periodic access-request messages sent to the configured RADIUS servers are unreachable, using a timeout period of 10 seconds. For more information refer to Alert - Recent 802.1X Failure.
With RADIUS testing enabled, all RADIUS servers will be tested by every node at least once per 24 hours regardless of test result. If a RADIUS test fails for a given node it will be tested again every hour until a passing result occurs. A subsequent pass will mark the server reachable and clear the alert, returning to the 24 hour testing cycle.
Troubleshooting Steps
Please refer to RADIUS Issue Resolution Guide for detailed troubleshooting flow.
VPN problems on SSID
Trigger
If the tunnel connection between MR and MX is not functioning properly the access point will show this alert.
Troubleshooting Steps
Please refer to the Service set identifier (SSID) Tunneling and Layer 3 Roaming - VPN Concentration documentation for more information. Make sure the upstream firewall is not blocking any of the UDP ports used for the VPN registry.
Unreachable Device(s)
Triggers
Unreachable or Has never connected to the Meraki dashboard alerts are usually triggered due to a problem in the path from the node to the Meraki cloud. Since the node is no longer able to communicate with the Meraki cloud, the dashboard reports it through the alert.
Troubleshooting Steps
Click the answer to the questions posted in the interactive guide below or review this documentation.
Are there any outages currently reported in status.meraki.net?
Current Outages reported
Monitor the status.meraki.net page for further updates while waiting for a fix.
No current outages reported
Most likely the node is unable to communicate with the Meraki cloud due to a problem in the intermediate path. You will need to troubleshoot this problem from the node itself, as the dashboard is not able to collect data from the node at this moment.
If you have multiple offline devices on a given site, please identify the one that is closest to your ISP to continue the troubleshooting. You can review how your topology looks like navigate to Network-wide > Monitor > Topology and use the L2 - Link layer view.
Physically check the device's LEDs.
Is the Device ON?
Device's OFF
Please test a different power source. If the issue persists, please take a picture of the device where the serial number is visible and share it with the Meraki support team, along with the other symptoms.
Device is ON
Can you open the Local Status Page page?
You can check the document Using the Cisco Meraki Device Local Status Page for instructions to open the local status page for each kind of device.
Can't access the Local Status Page
Please reboot the device and wait ~15 minutes to see if the device checks in.
Also, please try again to open the local status page.
Did the device become online after the reboot?
Yes, device is online after reboot
To avoid the issue from happening again, please ensure your device is running the latest firmware available. In case the device is already running the latest firmware and you want to troubleshoot this further please wait for the next occurrence of the problem and contact Meraki support while the issue is happening and you have physical access to the device.
No, device is still offline
Please factory reset the device and wait ~15 minutes to see if the device checks in.
After a factory reset the device will lose any static IP configuration. Review the LAN IP section of the node's details page to reconfigure it if needed.
Did the device become online after a factory reset?
Yes, device is online after factory reset
To avoid the issue from happening again, please ensure your device is running the latest firmware available. In case the device is already running the latest firmware and you want to troubleshoot this further please wait for the next occurrence of the problem and contact Meraki support while the issue is happening and you have physical access to the device.
No, device is still offline
Try accessing the local status page again, if the local status page is still unreachable please contact the Meraki support team while you have physical access to the device.
After a factory reset the credentials to access the local status page will be the serial number (upper case letters and dashes) with no password.
Yes, I connected to the Local Status Page
Do you see any alert?
Yes, I see something's not right
Review the details of the alert and see the potential next steps:
| Error | Suggestions |
| This <device-type> does not have a working DNS server. | It means the DNS configured on the device is not responding or is not reachable. Confirm the device is using the right DNS server and the communication between them is not blocked. |
| This <device-type> is not connected to the Internet. |
The node is having problems reaching the internet. The node tests internet connectivity by trying to reach by ICMP and HTTP to canireachthe.net and 8.8.8.8, ensure there are no intermediary devices blocking this communication. |
| This <device-type> is not connected to the Cisco Meraki cloud. |
The device is not able to reach some/all of the IP/ports specified in the help ? > Firewall info table available in your dashboard. Please confirm there are no intermediary devices blocking any of them. Also ensure you don't have SSL inspection in any upstream device, as this prevents the node from synchronizing with the backend. SSL inspection should not apply to any of the Ports and IPs listed on the Firewall Info page. |
Try to fix the network environment until you no longer see any alert.
If you are not sure what needs to be fixed and need further assistance, please collect the Support Data Bundle (SDB) and share it with the Meraki support team, along with screenshots of the local status page.
No Alert, the device states it is functioning normally
If you don't see an alert and the node is still offline in dashboard please collect the the Support Data Bundle (SDB) after that please reboot the device and wait ~15 minutes to see if the device checks in.
Did the device become online after the reboot?
Yes, device is online after reboot
To avoid the issue from happening again, please ensure your device is running the latest firmware available. In case the device is already running the latest firmware and you want to troubleshoot this further contact Meraki support team and share the SDB file that you downloaded in the previous step.
No, device is still offline
Please factory reset the device and wait ~15 minutes to see if the device checks in.
After a factory reset the device will lose any static IP configuration. Review the LAN IP section of the node's details page to reconfigure it if needed.
Did the device become online after a factory reset?
Yes, device is online after factory reset
To avoid the issue from happening again, please ensure your device is running the latest firmware available. In case the device is already running the latest firmware and you want to troubleshoot this further contact Meraki support team and share the SDB file that you downloaded in the previous step.
No, device is still offline
Please open the local status page again and collect a new Support Data Bundle (SDB), then contact the Meraki support team while you have physical access to the device. Also ensure you share both SDB files that you collected before.
After a factory reset the credentials to access the local status page will be the serial number (upper case letters and dashes) with no password.
Can't check, I'm remote
Open the selected offline node's page and check if the reported neighbor* in dashboard is a Meraki device online. If you are not sure where to find that information, select the your offline device type to find instructions:
Note: Keep in mind that this is the last neighbor reported by the offline node before it went offline. Somebody may have moved the offline node to a different neighbor while offline, so we wouldn't see the updated information in dashboard.
MR
Please navigate to Wireless > Monitor > Access Points > Click on the offline AP that'll be used to troubleshoot. Then go to the Ethernet section and check if you can see an online (green status) neighbor, and you have a hyperlink to it. If no hyperlink, it means the device is not a recognized Meraki device.
MX / MG / Z
Assume no Meraki neighbor detected.
MS
Please navigate to Switching > Monitor > Switches > Click on the offline switch that'll be used to troubleshoot. Then click on the last uplink reported:
After that, go down to the Status pannel to check the last known uplink neighbor, and see if it's green online. If no hyperlink, it means the device is not a recognized Meraki device.
MV
Please navigate to Cameras > Monitor > Cameras > Click on the offline camera that'll be used to troubleshoot. > Network tab. Then go to the Ethernet section and check if you can see an online (green status) neighbor, and you have a hyperlink to it. If no hyperlink, it means the device is not a recognized Meraki device.
Is the last known neighbor a Meraki online device?
Offline neighbor / No Meraki neighbor detected
Please go on-site to have physical access to the device to continue. Since the device is unable to contact the Meraki dashboard, you'll need to troubleshoot this from the device itself. Don't contact meraki support until you have physical access to the device.
Online neighbor Meraki device detected
Navigate to Network-wide > Monitor > Packet capture, and select the latest reported neighbor device and port and run a packet capture for 180 seconds.
Once that's done, open the file using wireshark.
Apply the filter: eth.addr == <node's-MAC-address>
Confirm you see device is getting an IP by dhcp, it is able to resolve DNS queries, you see bi-directional traffic to the Meraki cloud.
Note: You can find the Meraki cloud IP addresses on your dashboard, by navigating to ? > Firewall info.
If something's missing, fix as needed. If you have a hard time interpreting this info, please reach out to the Meraki support team and share the file.
How does the communication looks like in the capture?
I don't see any packets
In the event that you don't see any packets after applying the filter, it means the offline device is either powered off or it was physically relocated. Please go on-site and continue the troubleshooting flow once you have physical access to the offline device.
It looks normal
If you see a normal communication between the node and the Meraki cloud and the issue persists, please go-onsite to have direct access to the device and re-start the troubleshooting flow. At this moment the offline device is not able to communicate with the Meraki cloud, so we can't use the dashboard to troubleshoot further.
Additionally, accessing the Cisco Meraki Device Local Status Page may be required to perform offline troubleshooting steps, such as reviewing offline status details and alerts, configuring a static IP assignment to regain network connectivity, or gathering the Support Data Bundle (SDB) diagnostic logs to share with Cisco Meraki Support.
Note: If a device remains offline after troubleshooting via the local status page and further assistance is needed, it is recommended to collect the Support Data Bundle (SDB) and share it with the Meraki support team, along with screenshots of the Local Status Page.
Dormant Device(s)
Triggers
A sensor has not reported to the dashboard for more than a week.
Troubleshooting Steps
- Check the last reported battery of the sensor that is reporting as Dormant. If the battery% is less than 5%, its time to replace the batteries.
- MT10/12 uses 2 AA batteries
- MT20 uses a single AA battery
- Make sure that the MT sensor is in range of a qualified gateway (MV or MR)
- The signal strength to the gateway must be >-85 dBm for the sensor to communicate to the gateway. Note that even if the sensor data is not reported, the RSSI will still be recorded if a gateway is able to pick it up.
Device(s) has never connected to the Meraki cloud
Trigger
This alert indicates the device in question has, while assigned to the current account, never checked in with the Meraki Cloud controller. This is common to see straight away after a first-time setup and should be resolved after a few minutes. However, that is not always the case.
Internet Gateway Unfound
Triggers
This alert commonly occurs if a Meraki device has no gateway or IP address assigned (and cannot find one automatically with DHCP).
Troubleshooting Steps
- Ensure the device has a working and valid IP address from the DHCP server. If using a static IP, check and make sure this IP address works on a laptop as well. If not, the static IP information is likely incorrect and needs to be updated.
- If the device is not accessible from the dashboard follow the troubleshooting steps outlined in the Device(s) has never connected to the Meraki cloud section above.
Bad Internet Connection
Triggers
If a Meraki device is having problems contacting the Meraki cloud through your firewall, content filter, or proxy server, you will experience the following issues and alerts on your Meraki network and dashboard:
- Yellow connectivity icon on the devices list page and individual device detail page.
- Orange bars on the connectivity graph.
- "This device has poor connectivity to the Meraki controller, possibly due to an asymmetric firewall or network address translation (NAT) issue." is reported on the device details page in dashboard.
- Devices cannot connect to your network
Troubleshooting Steps
This is generally caused by an upstream firewall not using stateful packet inspection. In this instance, the Meraki device's TCP synchronize (SYN) packet is reaching the cloud. When the cloud responds to the Meraki device with a TCP synchronize acknowledge (SYN/ACK), it is dropped by the firewall. The Meraki device waiting on the TCP SYN/ACK never receives it. Therefore an acknowledgement TCP ACK from the Meraki device is never sent back to the controller to establish the TCP connection. This is called one-way traffic.
This issue can also be caused when you have two different routers connected to your LAN segment to route traffic to different networks. In this instance traffic from remote network enters the LAN from one router's interface and is sent to a LAN device. When the LAN device replies, it sends the reply to the other router's interface. The router receiving the frame discards the packet because it only sees half of the connection.
To isolate and potentially remedy these issues and alerts please try the following:
- Move your Meraki device to a different network segment where other devices are working and then analyze the difference in the path to the internet.
- Verify that your firewall or any other security devices within your network are not modifying the Meraki device's traffic.
- Allow your Meraki devices to bypass your firewall, content filter, proxy server or any other security devices.
- Make sure your firewall is performing stateful packet inspection which allows incoming packets if they are part of an established connection.
- Make sure you only have a single entry and exit interface on your LAN segment.
For more information on configuring your firewall to support the Meraki Cloud, please review this article: Upstream Firewall Rules for Cloud Connectivity.
Cannot Find a Gateway to the Internet
Triggers
The Meraki device is powered on but is not able to use its Ethernet connection or an MR is unable to mesh to another MR in the same dashboard network.
Troubleshooting Steps
If the device is expected to use its Ethernet port for connectivity to the internet:
- Confirm the device is establishing a link with the upstream device through its Ethernet port
- Confirm the device is receiving an IP address from the DHCP server or has a valid static IP assigned (see Static IP Assignment on a Cisco Meraki Access Point).
- Connect to a known working network connection with access to the internet
- A working internet connection would have access to the IPs, ports, and protocols defined under Help > Firewall info (Upstream Firewall Rules for Cloud Connectivity) in the dashboard and would be able to successfully pass the connection monitoring test (see Connection Monitoring for WAN Failover article)
If the network's design is expected to have an MR functioning as a mesh repeater (refer to Using a Cisco Meraki Access Point as a Mesh Repeater), confirm there is an MR in the same dashboard network that is within wireless range and strong enough of a signal.
Poor Connectivity to the Meraki Cloud
Triggers
When this alert is shown, it is due to a wrong configuration on network equipment (typically a firewall or a device performing NAT) that is supposed to let the Meraki device connect to the internet.
Troubleshooting Steps
This is generally caused by an upstream firewall not using stateful packet inspection. In this instance, the Meraki device's TCP SYN packet is reaching the cloud. When the cloud responds to the Meraki device with a TCP SYN/ACK, it is dropped by the firewall. The Meraki device waiting on the TCP SYN/ACK never receives it. Therefore an acknowledgement TCP ACK from the Meraki device is never sent back to the controller to establish the TCP connection. This is called one-way traffic.
This issue can also be caused when you have two different routers connected to your LAN segment to route traffic to different networks. In this instance traffic from remote network enters the LAN from one router's interface and is sent to a LAN device. When the LAN device replies, it sends the reply to the other router's interface. The router receiving the frame discards the packet because it only sees half of the connection.
To isolate and potentially remedy these issues and alerts please try the following:
- Move your Meraki device to a different network segment where other devices are working and then analyze the difference in the path to the internet.
- Verify that your firewall or any other security devices within your network are not modifying the Meraki device's traffic.
- Allow your Meraki devices to bypass your firewall, content filter, proxy server or any other security devices.
- Make sure your firewall is performing stateful packet inspection which allows incoming packets if they are part of an ESTABLISHED connection.
- Make sure you only have a single entry and exit interface on your LAN segment.
For more information on configuring your firewall to support the Meraki Cloud, please review this article: Upstream Firewall Rules for Cloud Connectivity.
Backup Cloud Connection Used
Triggers
The backup cloud connection is used when the primary connection fails. This helps Meraki devices to stay up to date even if there is a problem with the primary connection to the Meraki Cloud servers.
The backup connection can use port 80 or 443, but rest assured the data is encrypted despite how it is transported.
Troubleshooting Steps
Connecting to the Meraki Cloud is what allows Meraki device to show as online in the Meraki dashboard. For hardware to successfully check in with the Meraki Cloud controller, the following requirements must be met:
- The hardware must have a valid IP assigned. If DHCP does not automatically provide your hardware with an IP address, assign a static IP address to your device.
- UDP port 7351 must be allowed on any firewalls or devices upstream. The Meraki Go hardware uses the UDP on the referenced ports to check-in to the cloud.
For more information on configuring your firewall to support the Meraki Cloud, please review this article: Upstream Firewall Rules for Cloud Connectivity.
Meraki Cloud Communication Issues
Triggers
When this alert is shown, it is due to a wrong configuration on network equipment (typically a firewall or a device performing NAT) that is supposed to let the Meraki device connect to the internet.
Troubleshooting Steps
This is generally caused by an upstream firewall not using stateful packet inspection. In this instance, the Meraki device's TCP SYN packet is reaching the cloud. When the cloud responds to the Meraki device with a TCP SYN/ACK, it is dropped by the firewall. The Meraki device waiting on the TCP SYN/ACK never receives it. Therefore an acknowledgement TCP ACK from the Meraki device is never sent back to the controller to establish the TCP connection. This is called one-way traffic.
This issue can also be caused when you have two different routers connected to your LAN segment to route traffic to different networks. In this instance traffic from remote network enters the LAN from one router's interface and is sent to a LAN device. When the LAN device replies, it sends the reply to the other router's interface. The router receiving the frame discards the packet because it only sees half of the connection.
To isolate and potentially remedy these issues and alerts please try the following:
- Move your Meraki device to a different network segment where other devices are working and then analyze the difference in the path to the internet.
- Verify that your firewall or any other security devices within your network are not modifying the Meraki device's traffic.
- Allow your Meraki devices to bypass your firewall, content filter, proxy server or any other security devices.
- Make sure your firewall is performing stateful packet inspection which allows incoming packets if they are part of an established connection.
- Make sure you only have a single entry and exit interface on your LAN segment.
For more information on configuring your firewall to support the Meraki Cloud, please review this article: Upstream Firewall Rules for Cloud Connectivity.
Cellular Failover Active
Triggers
Loss of all wired uplinks, which includes but not limited to port down, device DNS/ping failures, and so on.
Troubleshooting Steps
- Verify the wired connection is up via the port status on the dashboard or via the port status LED on the device
- When there is a physical connection up perform tests via the dashboard under Security & SD-WAN > Monitor > Appliance Status > Tools
- Ping can be used to check if the appliance can reach IPs on the internet, local gateway, and so on
- When there is no physical connection up
- Check the cable connection and power to the modem
- Testing with new cables or known working cables
- When there is a physical connection up perform tests via the dashboard under Security & SD-WAN > Monitor > Appliance Status > Tools
- Contact the ISP
VLAN Disconnect
Triggers
Both switches in the Virtual route redundancy protocol (VRRP) setup listen to VRRP advertisements on all VLANs configured as layer 3 interface. When a switch fails to receive VRRP advertisements on any of these VLANs this alert is triggered.
Troubleshooting Steps
- Check if the ports between the primary and secondary devices are allowing all the VLANs. If not update the ports to allow all the VLANs.
- If VLANs are allowed run packet capture on those ports and check which VLAN is missing VRRP advertisement and contact Meraki support to further troubleshoot the issue.
VRRP failover
Triggers
This alert is triggered if the spare device becomes the primary. To learn more about how VRRP works please refer to the MS Warm Spare (VRRP) Overview article.
Troubleshooting Steps
- Confirm the primary switch is establishing layer 1 connectivity with the spare switch.
- Make sure VLANs configured as layer 3 interface are allowed between the primary and spare switch.
- Check if the primary switch is functioning properly as per other troubleshooting sections within this article.
Site-to-Site Auto VPN Down
Triggers
This alert is triggered if the Meraki auto VPN connection to a neighboring site is down for more than 5 minutes.
Troubleshooting Steps
Please refer to Meraki Auto VPN - Configuration and Troubleshooting for more information on how to troubleshoot auto VPN issues.