Skip to main content

 

Cisco Meraki Documentation

Cisco SASE: Getting Started Guide

  1. Last updated
  2. Save as PDF
This article outlines onboarding instructions for Cisco SASE customers. It includes direct links to resources that support various onboarding needs. This ensures a smooth and efficient setup process.

Overview

The Cisco SASE onboarding process involves updating MX firmware to version 19.1 or later, claiming your subscription in Security Cloud Control (SCC), and creating a Secure Access Integrations Meraki API Key. The SASE menu facilitates multi-console management of SD-WAN in Meraki and security policy management in Secure Access dashboards. Additionally, instructions are provided for disconnecting the Meraki Dashboard from Cisco Secure Access if needed. This structured approach ensures a smooth and efficient setup tailored to different operational needs.

Key Features:

  • SD-WAN management and AutoVPN connectivity into the SSE fabric are handled via the Meraki Dashboard for NetOps ease of use.
  • Security policies and SSE configurations are managed through the Secure Access dashboard, providing SecOps with dedicated tools.
  • This separation allows both teams to work efficiently within their specialized domains while maintaining a secure, cohesive network.

Prerequisites

Before starting the onboarding process, complete a few key prerequisites and initial commands. These steps ensure a smooth and successful onboarding experience from the start.

MX Firmware Update

  • MX firmware version 19.1 or later must be installed.

  • Verify MX hardware compatibility using the referenced document. Upgrade via Organization > Configure > Firmware Upgrades.

Decide if a maintenance window is needed  

If you answer YES to any of the following questions, it is recommended that you
schedule a maintenance window BEFORE you integrate Secure Access with Meraki. 

  • Do you have the Secure Access Secure Internet Access package only? (i.e. No Secure Private Access package purchased) 

  • Do you have any Meraki Hubs?   

  • Does your organization require spoke-spoke communication using an MX hub

Learn more about how to onboard Secure Access in a maintenance window here:  Design Best Practices > Maintenance Window

Controlled Availability

The Secure Access integration is available via Early Access to anyone with a Secure Access Secure Internet Access (SIA) or Secure Private Access package. There are important considerations to ensure smooth onboarding: 

Secure Access Considerations

  • Secure Access organizations created prior to July 2, 2025 may need a flag enabled.
    • If your Secure Access org was created after July 2, 2025, you will have this flag.
    • If you encounter an error when onboarding via Meraki, create a support case via Secure Access/SCC and Support can easily enable this for you.
  • Secure Access organizations must be managed with Security Cloud Control.
    • If your Secure Access org was created after March 31, 2025, you will have this.
    • If you do not have your Secure Access org tied to an SCC enterprise, you will encounter an error when onboarding via Meraki. 
      • Create a TAC case via Secure Access/SCC and they will guide you through the process to link Secure Access to SCC.
      • You can also contact your Account team or CX contact for assistance.
  • Customers who use Secure Access Multi-Org management are supported.
    • You will integrate the Secure Access “child” orgs with your Meraki orgs 1:1
    • There is no way to integrate 1:Many or Many:1 orgs between Meraki:Secure Access

Meraki Considerations

  • Meraki site scale considerations:
    • For Meraki MX or Z appliance customers facing routing table size limitations that exceed datasheet specifications, or those with a high volume of sites enrolled in Secure Access, the number of routes learned from the cloud can be reduced. Contact support to enable the "only-default-route for Spokes" feature, which is detailed in the below Platform Optimization section.
  • Customers who desire a Meraki integration to Secure Access DNS:
    • You will be able to use the SASE integration with Secure Access and DNS integration together soon; we will publish updates once this is available. 
  • Customers who have a Meraki integration to Umbrella DNS:
    • Umbrella DNS and SASE with Secure Access are not compatible; y​​​​​ou will encounter an error at onboarding time.
    • To use the integration, move your DNS integration from Umbrella to Secure Access
  • Customers who have Secure Connect (a Meraki integration to Umbrella SSE):
    • Secure Connect and Secure Access SASE cannot co-exist on the same Meraki Organization.
    • To use the integration, you’ll need to request an upgrade to Secure Access and pursue a manual transition.
      • Contact your account team to learn more about paths from Secure Connect to Secure Access.
      • A self-guided migration tool is coming soon, and will greatly simplify this experience.

Early Access Enablement

To enable the Controlled Availability feature, navigate to Organization > Configure > Early Access. Opt in to Cisco Secure Access Integration. This will enable the feature for your organization.

Known Issue: Cosmetic bug with VPN Status

  • When Meraki Sites are connected to a Secure Access Cloud Hub, these hubs become visible in the Meraki Dashboard as networks.

  • Currently, the status of these networks is inaccurate in two places:

  • 1. Organization > Overview > Networks Tab
    The Network status shows grey/disconnected despite passing traffic.
    A screenshot of a computer AI-generated content may be incorrect.
  • 2. Organization > Monitor > VPN Status > [any Secure Access Cloud Hub]
    The live VPN Status data shows the following error message, despite passing traffic:
    “Connectivity: Disconnected. This WAN appliance is currently unreachable from the Meraki cloud.”
    A screenshot of a computer AI-generated content may be incorrect.
  • You can find the correct/current status of these devices by navigating to the Secure Access Cloud Hub networks themselves, then visiting:
    Security & SD-WAN > Monitor > Appliance Status

A screenshot of a computer AI-generated content may be incorrect.

  • This issue is being tracked by engineering and will be resolved shortly.

Platform Optimization

At the time of integration, the recommended platform optimization settings will be automatically applied to the organization. 

Learn more about details of the 2025 Platform Optimization here. 

These settings were developed from the learnings from the Secure Connect product and the underlying technology. Together, they ensure faster failover in the event of a Data Center outage and simplify spoke site routing, reducing overall route complexity.

In case your SD-WAN organization requires traffic flow from spoke to spoke though existing Hub, not all elements of optimization may be required. In that case, prior to integration you should reach out to Meraki representative to disable feature that blocks exchange of routes between spokes.


Organizations managing a large number of sites (over 500) enrolled in a single Secure Access region can enable an additional feature referred to as only-default-route for Spokes. This capability enhances stability and accelerates convergence during both onboarding and Data Center maintenance events. By activating this feature, Meraki Spokes will learn only a default route from the Secure Access Hubs, eliminating the need to process individual prefixes. This approach significantly reduces the routing management overhead on Spokes for cloud-learned routes.  Please contact support to enable this feature in our organization.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. integration
    2. meraki
    3. sase
    4. secure access