topic Re: Meraki Implementation in General Topics

Meraki Implementation

Retired Member — Thu, 18 Jan 2018 05:22:25 GMT

Curious if anyone has Meraki and a PAN setup. We are trying to to link our remote sites to the data center. At the remotes the meraki is the router then in the data center we have the meraki behind the the PA. We can establish a VPN tunnel and ping internal devices, but it is really slow. For example logons to workstations take forever, and I mean it they never logon wheel keeps spinning, but if I get by that, web pages dont load even from internal servers that should not have to go bck to the palo alto.

We did the one arm concentrator mode, so it doesnt have a public IP, it sits in the trust zone with the other internal servers. We started in the DMZ, put the policy righting got complex so more time consuming so we tabled that to just test performance.

We haev a call in into Meraki as well, but curious of others experiences. Palo Alto has best practices for others, just not meraki.

Re: Meraki Implementation

BPry — Thu, 18 Jan 2018 21:09:51 GMT

@Retired Member,

I'm honestly suprised you actually got this to work at all to be honest. Have you verified through enabling interzone-default logging that the Palo Alto is actually not blocking any traffic. Meraki is generally pretty picky about being behind another firewall and if possible I would really recommend taking a look at redesigning your solution.

Just to do some troubleshooting; have you tried moving the Meraki out from behind your Palo Alto, or another connection all-together, and verified that the issue isn't present even with your Palo Alto out of the picture? I would call that step-one of the process just to rule that out.

Re: Meraki Implementation

Retired Member — Thu, 18 Jan 2018 21:29:39 GMT

I will turn on the logging. Meraki has documentation on being behind a firewall and this morning it seems to be working better. Almost like it takes time to improve service. We discussed placing it outside the PA, but we still want to be able to use the PA to manage all user internet traffic.

Re: Meraki Implementation

rscott259 — Thu, 23 Aug 2018 20:37:51 GMT

I'm trying tom implement this now too andnot having much luck. Do you have a link to the documentatuon you mentioned?

Thanks,

Re: Meraki Implementation

Retired Member — Fri, 24 Aug 2018 03:33:55 GMT

So the docs have changed some, but here is the link:

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Site-to-site_VPN_Settings

I can see if I can find the old docs.

Overall I was not that impressed with Meraki, to get it to work we placed the device inside the network and did a static nat translation and just opened the ports. Not ideal, but it was just a POC, we had a lot of small bugs in the Meraki software, that always seemed to be a software update away.

The biggest show stopper for us was the cellular failover and how you could not restrict traffic over it. So we had a IP camera that streams constantly over the cell connection in HD. Wasteful as a backup. Other little bugs that I dont recall anymore. We decided to look into ECMP and use PA devices at each site. Seems like a better cost alternative.

A little birdie told me that Palo Alto may have some SD-WAN stuff in the works, third party or maybe, fingers cross internal. I dont see why they could not build a basic implementation into their firewalls. We didnt need any of the traffic shaping during normal business, we run thin clients and IP phones at the site so the protocols are minimal. Meraki was fine for that and a reasonable price point over the competition.

Re: Meraki Implementation

ce1028 — Sun, 26 Aug 2018 19:34:44 GMT

I have setup the One Arm VPN concentrator. I connected into the internal LAN, created a static bi-drectional NAT for it. On the meraki side, set it up as "Manual - Port Forwarding" and chose a port to use.

No issues like you're describing. It has its use cases, but I'm not the biggest fan

Re: Meraki Implementation

Retired Member — Sun, 26 Aug 2018 23:16:10 GMT

Had the same setup, problem wasn’t at the headend although I did not find it to be the most reliable. The problem we had was at the remote sites that used cellular. Their built in firewall/router was just really basic. We consider Viptela as well but the price was VMUG her than we could justify.

Re: Meraki Implementation

ce1028 — Mon, 27 Aug 2018 00:25:04 GMT

were the remote sites using the MX64? That's how I deployed at a client, they full tunneled everything to their DC.

Re: Meraki Implementation

Retired Member — Mon, 27 Aug 2018 01:12:41 GMT

64s and z3, just was feature lacking

Re: Meraki Implementation

rscott259 — Mon, 27 Aug 2018 13:09:57 GMT

After a marathon session with both Palo andMeraki we have this working now. here are teh final notes fromteh Palo Support session

Please go through this document to understand this problem we were facing during NAT:
https://live.paloaltonetworks.com/t5/Learning-Articles/Session-setup-fails-due-to-session-hash-collision-error/ta-p/70539

> Finally we created source static NAT (Not bi-directional) and after that all the tunnel was up and running as expected

Re: Meraki Implementation

Golioth68 — Tue, 01 Oct 2019 22:51:19 GMT

This worked for us as well. We are not seeing the performance issues others have said they seen.

Created the Static NAt for our HA pairs VIP which is the source IP for the Meraki AutoVPN.

We were able to get all green across the Meraki dashboard and our tunnels came up.

Thank you for all the digging you did. I have been talking with Palo and Meraki and didn't get anywhere.

Reworded my google search and thanks to this article ours are working.