Sharing a few technical tips building a Meraki SD-WAN

Meraki has a good range of products matching different needs and use cases of SD-WAN deployments. While building a SD-WAN for an enterprise network, a few technical issues were experienced. Everyone will come across a problem or two at some point of a deployment whether it is Meraki or another product is used. Here are a few things that was discovered during a new WAN build and deployment that may become useful.

BGP Route Table inconsistency — This issue is related to the UI not displaying the route table correctly. Routes coming from eBGP peer, were disappearing randomly. Even though routes were not visible, routing functionality worked over BGP. Strangely it was only the BGP routes that were missing. Different versions of firmware and also different models of MX appliances made no difference and issue was replicated. After deciding to advertise summary routes only from the upstream device, this issue appeared to be fixed. Advertising summary routes is recommended if advertising smaller routes are avoidable.

PXE boot & SOE build via SCCM — One of the main targets of the new WAN deployment, was to eliminate individual on site SCCM distribution points that were used for SOE build, patching and software distribution. It was not sustainable to maintain a large number of servers for the aforementioned purposes. Adoption SD-WAN technology and implementing a new WAN, it provided a substantial upgrade and increment in bandwidth.These tasks were to be offloaded from onsite servers and via a central server. While testing two issues were encountered.

• First it was the boot file taking too long to download by the client. Several tests were performed and some packet captures were done. These captures showed fragmented packets due to the size. As a fix, TFTP block size had to be changed and decreased. This was done by adjusting a registry key in SCCM server. Once this was applied the download time for the boot file was quicker. This fix was recommended by Microsoft.
• Second issue was failure in SOE build process. It was failing at a certain point by failing to fetch a particular file. Inspecting packet captures showed that there were session resets sent to server and the client by the MX. Turned out IDS/ IPS in MX were blocking some Microsoft .NET files. Once these files were white-listed in Security settings in MX, process ran through successfully.

Support received from Microsoft and Meraki to identify and resolve these two issues was very valuable. Noting that the threat protection options were selected to ‘Security’. There is a possibility it would have worked with selecting ‘Balanced’ or ‘Connectivity’’ options.

BGP session reset — This was an issue related to Cisco ACI. MX appliance was connected via a Cisco Nexus 9000 series leaf switch and BGP neighbour of the MX was a Cisco ASA firewall. Random BGP session resets were observed from both MX and the ASA side. Tried some basic troubleshooting methods, such as changing switch port, cables, sfp connectors and moving to a different leaf switch but made no difference or any improvement. Cisco TAC confirmed this is a known bug in the ACI environment. Fix was to configure BGP Multihop figure to ‘3’. Issue was not observed or experienced after that.

Unable to establish Auto VPN using built in LTE modem — This was experienced while trying to configure a branch network using a MX68CW appliance. But it was not an issue related to Meraki at all. This was completely due to ISP carrier behaviour, how 4G internet traffic is handled. Monitoring the behaviour and symptoms showed that the carrier was altering and changing the source port, before forwarding to the destination. A port mismatch was occurring between hub and spoke and due to the stateful firewall nature MX was not able to establish the Auto VPN. As a fix, an external modem was introduced and this behaviour changed. Auto VPN was successfully established.

There are a couple of security features that will also be beneficial in using. They are easier to configure and does not require a huge amount of effort. Such as WiFi firewall, Threat Protection — IPS/ IDS, Cisco Umbrella for DNS, Content filtering. These features are readily available to use by simply clicking and choosing via a drop down list. Firewall feature that can be enabled in WiFi is very useful in a guest or third party wireless deployment scenarios. Those clients will be filtered at the AP even before hitting the LAN segment of the network, thus segmenting your network made a bit easier. IPS & IDS features backed by Cisco’s vast network of security infrastructure is one of the good features in MX appliances.

It is essential to mention Meraki’s Support teams. Help and support provided is commendable. Meraki Support is different from Cisco TAC support. Engineers are eager to resolve the problems and issues for customers straightaway. They are all experts in all of the products Meraki offers and there aren’t different levels like Cisco TAC, which is convenient for the customer. They do provide a great level of service and support.

Meraki is all about simplification. Simplifying a network will have lots of benefits. First thing that requires is to have an open mind. See things differently from traditional ways that was used over the years. Adopting an open mind will bring enormous benefits.