python is not dead of course
VPNs between different hardware can require some effort getting the right settings. Once you get it right it should be stable and the most important thing to do for stability is to use IKEv2.
a deep level debug in the ASA side (whilst initiating the VPN connection in the Meraki side) would show you exactly why it fails. Wireshark capture in both sides as well.
I am a Palo guy but I came into my current job in 2022 with an open mind for Meraki. That was quickly squashed with the MX. I do like the switch and APs but not the MXs.
Yeah unfortunately my DC networks are mostly already super-netted and borrowing another bit would interfere with some of our other DC networks.
Gone or dead. VMWare is very alive and will likely be okay.
I hope legitimate competitors emerge
‘should’ haha :). Thanks for your response
You hit that right on the head I think. The MX is the source of 90% of my pain right now.
We have a vMX in the mix too, at least it will exchange routes with BGP and inject them into the VPN network.
Fair enough. I’ve never had an environment where the business would ever have wanted automatic DR. Declaring a disaster was to be avoided at all costs due to the impact of having to switch back later so I can’t imagine wanting that automated anyway.
They do offer something like this with vMX’s since they can’t be in an HA pair.
For our retail environment, we recently migrated to Azure. We have a vMX (and palo altos) at 2 Azure hub locations. I was able to failover BGP routing between the 2 locations using the PAs to update the route tables. On the backend, using Azure Peering and Azure Router Server to receive the routes in the server VNETs. It works pretty well for redundancy with no load balancers required.
Welcome to finance. All our DR is pretty automated, virtual environment is completely split-write so all real time data exists in all locations.
We looked at vMX but our cloud provider uses VMWare Cloud Director and there is no vMX available yet unfortunately but I am waiting patiently for one.
We don’t have quite that level of complexity at Azure, just a simple subnet with a Fortigate appliance in front of it basically peering with the vMX. I was also surprised to learn the vMX is really just a one-armed VPN concentrator. Why wouldn’t the product even act as a basic firewall?
I’m not an Azure expert - I suspect we could have used route server and exchanged routes that way to make it fully dynamic but for now we’ve just set up the route tables to work as expected. Not perfect but also not unnecessarily complex. Once we’ve completed implementation there’s almost no potential for change on the Azure side anytime soon, we’ll document the manual step if we add subnets on the Azure side.
vmware? my condolences
I enjoy Meraki for what it can do but you definitely have to be aware of its limitations and it’s not one size fits all. I’d probably be looking at a more advanced SD-WAN Solution in your situation.
I came from having Talari in the past which was a 180 from Meraki. Infinitely customizeable and powerful but we had to pretty much dedicate a network engineer to keeping the thing running. It could do anything though. They got bought by Oracle a while back so I don’t recommend them anymore but it was nice at times.
Yup, I like the wireless. The switching I’m impartial to. The MXs i’m critical of.
Haha I like wireless and cameras, I like MX but I use a “real” firewall to do more complicated things. I can’t stand the switching. Something about needing internet access to touch a switch just rubs me the wrong way I don’t trust it.