Meraki Implementation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Meraki Implementation

L2 Linker

Curious if anyone has Meraki and a PAN setup.  We are trying to to link our remote sites to the data center.  At the remotes the meraki is the router then in the data center we have the meraki behind the the PA.  We can establish a VPN tunnel and ping internal devices, but it is really slow.  For example logons to workstations take forever, and I mean it they never logon wheel keeps spinning, but if I get by that, web pages dont load even from internal servers that should not have to go bck to the palo alto.

 

We did the one arm concentrator mode, so it doesnt have a public IP, it sits in the trust zone with the other internal servers.  We started in the DMZ, put the policy righting got complex so more time consuming so we tabled that to just test performance.

 

We haev a call in into Meraki as well, but curious of others experiences.  Palo Alto has best practices for others, just not meraki.

10 REPLIES 10

Cyber Elite
Cyber Elite

@bschaper,

I'm honestly suprised you actually got this to work at all to be honest. Have you verified through enabling interzone-default logging that the Palo Alto is actually not blocking any traffic. Meraki is generally pretty picky about being behind another firewall and if possible I would really recommend taking a look at redesigning your solution. 

Just to do some troubleshooting; have you tried moving the Meraki out from behind your Palo Alto, or another connection all-together, and verified that the issue isn't present even with your Palo Alto out of the picture? I would call that step-one of the process just to rule that out. 

I will turn on the logging.  Meraki has documentation on being behind a firewall and this morning it seems to be working better.  Almost like it takes time to improve service.  We discussed placing it outside the PA, but we still want to be able to use the PA to manage all user internet traffic.  

 

I'm trying tom implement this now too andnot having much luck.  Do you have a link to the documentatuon you mentioned?

 

Thanks,

So the docs have changed some, but here is the link:

 

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Site-to-site_VPN_Settings

 

I can see if I can find the old docs.

 

Overall I was not that impressed with Meraki, to get it to work we placed the device inside the network and did a static nat translation and just opened the ports.  Not ideal, but it was just a POC, we had a lot of small bugs in the Meraki software, that always seemed to be a software update away.

 

The biggest show stopper for us was the cellular failover and how you could not restrict traffic over it.  So we had a IP camera that streams constantly over the cell connection in HD.  Wasteful as a backup.  Other little bugs that I dont recall anymore.  We decided to look into ECMP and use PA devices at each site.  Seems like a better cost alternative.

 

A little birdie told me that Palo Alto may have some SD-WAN stuff in the works, third party or maybe, fingers cross internal.  I dont see why they could not build a basic implementation into their firewalls.  We didnt need any of the traffic shaping during normal business, we run thin clients and IP phones at the site so the protocols are minimal.  Meraki was fine for that and a reasonable price point over the competition.

I have setup the One Arm VPN concentrator. I connected into the internal LAN, created a static bi-drectional NAT for it. On the meraki side, set it up as "Manual - Port Forwarding" and chose a port to use.

 

No issues like you're describing.  It has its use cases, but I'm not the biggest fan

Had the same setup, problem wasn’t at the headend although I did not find it to be the most reliable. The problem we had was at the remote sites that used cellular. Their built in firewall/router was just really basic. We consider Viptela as well but the price was VMUG her than we could justify.

were the remote sites using the MX64? That's how I deployed at a client, they full tunneled everything to their DC.

64s and z3, just was feature lacking

After a marathon session with both Palo andMeraki we have this working now.  here are teh final notes fromteh Palo Support session

 

Please go through this document to understand this problem we were facing during NAT:
https://live.paloaltonetworks.com/t5/Learning-Articles/Session-setup-fails-due-to-session-hash-colli...

> Finally we created source static NAT (Not bi-directional) and after that all the tunnel was up and running as expected

This worked for us as well. We are not seeing the performance issues others have said they seen.

Created the Static NAt for our HA pairs VIP which is the source IP for the Meraki AutoVPN.

We were able to get all green across the Meraki dashboard and our tunnels came up.

Thank you for all the digging you did. I have been talking with Palo and Meraki and didn't get anywhere.

Reworded my google search and thanks to this article ours are working.

  • 12370 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!