Curious if anyone has Meraki and a PAN setup. We are trying to to link our remote sites to the data center. At the remotes the meraki is the router then in the data center we have the meraki behind the the PA. We can establish a VPN tunnel and ping internal devices, but it is really slow. For example logons to workstations take forever, and I mean it they never logon wheel keeps spinning, but if I get by that, web pages dont load even from internal servers that should not have to go bck to the palo alto.
We did the one arm concentrator mode, so it doesnt have a public IP, it sits in the trust zone with the other internal servers. We started in the DMZ, put the policy righting got complex so more time consuming so we tabled that to just test performance.
We haev a call in into Meraki as well, but curious of others experiences. Palo Alto has best practices for others, just not meraki.
I'm honestly suprised you actually got this to work at all to be honest. Have you verified through enabling interzone-default logging that the Palo Alto is actually not blocking any traffic. Meraki is generally pretty picky about being behind another firewall and if possible I would really recommend taking a look at redesigning your solution.
Just to do some troubleshooting; have you tried moving the Meraki out from behind your Palo Alto, or another connection all-together, and verified that the issue isn't present even with your Palo Alto out of the picture? I would call that step-one of the process just to rule that out.
I will turn on the logging. Meraki has documentation on being behind a firewall and this morning it seems to be working better. Almost like it takes time to improve service. We discussed placing it outside the PA, but we still want to be able to use the PA to manage all user internet traffic.
So the docs have changed some, but here is the link:
I can see if I can find the old docs.
Overall I was not that impressed with Meraki, to get it to work we placed the device inside the network and did a static nat translation and just opened the ports. Not ideal, but it was just a POC, we had a lot of small bugs in the Meraki software, that always seemed to be a software update away.
The biggest show stopper for us was the cellular failover and how you could not restrict traffic over it. So we had a IP camera that streams constantly over the cell connection in HD. Wasteful as a backup. Other little bugs that I dont recall anymore. We decided to look into ECMP and use PA devices at each site. Seems like a better cost alternative.
A little birdie told me that Palo Alto may have some SD-WAN stuff in the works, third party or maybe, fingers cross internal. I dont see why they could not build a basic implementation into their firewalls. We didnt need any of the traffic shaping during normal business, we run thin clients and IP phones at the site so the protocols are minimal. Meraki was fine for that and a reasonable price point over the competition.
I have setup the One Arm VPN concentrator. I connected into the internal LAN, created a static bi-drectional NAT for it. On the meraki side, set it up as "Manual - Port Forwarding" and chose a port to use.
No issues like you're describing. It has its use cases, but I'm not the biggest fan
After a marathon session with both Palo andMeraki we have this working now. here are teh final notes fromteh Palo Support session
Please go through this document to understand this problem we were facing during NAT:
> Finally we created source static NAT (Not bi-directional) and after that all the tunnel was up and running as expected
This worked for us as well. We are not seeing the performance issues others have said they seen.
Created the Static NAt for our HA pairs VIP which is the source IP for the Meraki AutoVPN.
We were able to get all green across the Meraki dashboard and our tunnels came up.
Thank you for all the digging you did. I have been talking with Palo and Meraki and didn't get anywhere.
Reworded my google search and thanks to this article ours are working.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!