search

MitchellGulledge / Meraki-vWAN

5 stars 4 forks source link

Private Subnets when connecting to Secure Hub #31

Closed SleepyWheezal closed 3 years ago

SleepyWheezal commented 3 years ago

We have ran into a couple of issue when attaching to a Secure Hub

Scenario One

We have a secure hub configured as per the following link https://docs.microsoft.com/en-us/azure/virtual-wan/scenario-route-between-vnets-firewall

From my understanding the function pulls the vnet address by looking for effective routes to vnets in the default route table.

Due to no Azure API existing for connected networks to the hub, pull connected VNets via effective routes effective_routes_endpoint = _get_microsoft_network_base_url(_AZURE_MGMT_URL, AzureConfig.subscription_id, resource_group)\

However all our vnet traffic goes via a firewall, so we don't have any effective routes to vnets. Hence this comes back empty and we end up with the placeholder entry in the Private Subnet field.

Scenario Two

In addition we temporarily have a additional non-meraki VPN to a datacentre, this is routable through the Secure Hub, however we need a mechanism of catching this in the private subnet field.

Could the function be amended to add the option to manually define the private subnet field, so it is a little more flexible.

Thanks in advance.

MitchellGulledge commented 3 years ago

Thanks for the great description of the problem :) quick question, for the private subnets field and sending traffic to the secure hub are you using the secure hub as the internet gateway as well (as in a default route is being generated from the Azure Firewall) or that you have a bunch of VNETs using the SecureHub as their default gateway and we need a way to pull the FW VNET routes in addition to a default route via the API? (I hope that made sense apologies if not)

SleepyWheezal commented 3 years ago

Hi, thanks for getting back so quickly. Sorry not sure it what you mean, but it is the end of a long day. The secure hub is the internet break gateway for the VNETs and essentially any traffic from a site to a VNET will traverse the firewall. So pretty sure by your description it is a default route generated by the Firewall. Basically we have defined a static route in the hub that directs all traffic in the VNET IP ranges into the firewall. The other issue is we have a VPN to an on-prem Datacentre, that doesn't have Meraki, it's another site, however not sure how we can capture the IP range..

SleepyWheezal commented 3 years ago

Hi Mitchell, is this something you could help with? Just working out whether we should hold on or create our own branch. Thanks.

MitchellGulledge commented 3 years ago

Hey, apologies for the delay. How soon would this need to be implemented? And how many sites? We might be able to get another branch off main with the fix and I could have a button on that branch deploy from that code. But it would take some time (maybe a week or two) due to competing priorities. But also that doesnt mean I dont break other parts of the script and delay another week :( But your description of the problem made perfect sense. It might be easier to add some logic to append custom subnets from the effective routes. But to pull from the Azure FW routes will be the more difficult part to put in the code. (Azure has all the API endpoints we need to do this, its just working that into the logic) Would another solution be fore you to just fill in the private subnets field containing the Azure FW prefixes in the interim? (This might be quicker to fix)

SleepyWheezal commented 3 years ago

Hi thank you for getting back we appreciate your time. Looking at around twenty sites. I've looked at adding in application setting just to manually catch the private subnets, seem fine for an interim solution. We are looking to start moving sites into production in the couple of weeks.

MitchellGulledge commented 3 years ago

Awesome, I could likely start kicking off some code next week so we can hopefully have a branch for you to test. Just so I understand, I will create a field under where you enter your api key vwan name etc and have a field called private subnets and you can paste a list of prefixes and the code will replace the placeholder field for 1.1.1.1/32. Would that work?

SleepyWheezal commented 3 years ago

Yes, that will work. It will give us a little more flexibility with the private subsets. Thanks for picking it up.

From: MitchellGulledge @.> Sent: Thursday, May 20, 2021 6:53:44 PM To: MitchellGulledge/Meraki-vWAN @.> Cc: SleepyWheezal @.>; Author @.> Subject: Re: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

Awesome, I could likely start kicking off some code next week so we can hopefully have a branch for you to test. Just so I understand, I will create a field under where you enter your api key vwan name etc and have a field called private subnets and you can paste a list of prefixes and the code will replace the placeholder field for 1.1.1.1/32. Would that work?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMitchellGulledge%2FMeraki-vWAN%2Fissues%2F31%23issuecomment-845340422&data=04%7C01%7C%7C985646f4bb98496e155c08d91bb83605%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637571300252460836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7XMzhcsltXegmBtzlzJaKYnVn0HSznJ6X7u3toayoIg%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIY4FOQ6LT4G4BUMCAOQ5XTTOVECRANCNFSM44YXSOMQ&data=04%7C01%7C%7C985646f4bb98496e155c08d91bb83605%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637571300252460836%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Hf42eA%2B9tdDuxKugcra%2BA4HQ%2Bb8TFfX%2F9W7URWXCe3I%3D&reserved=0.

MitchellGulledge commented 3 years ago

Does azure_custom_prefixes make sense for the naming of the field?

MitchellGulledge commented 3 years ago

`

#api_key = os.environ['meraki_api_key'].lower()
#org_name = os.environ['meraki_org_name']
#use_maintenance_window = os.environ['use_maintenance_window']
#maintenance_time_in_utc = int(os.environ['maintenance_time_in_utc'])
#tag_prefix = 'vwan-'
#primary_tag_regex = f"(?i)^{tag_prefix}([a-zA-Z0-9_-]+)-[0-9]+$"
#secondary_tag_regex = f"(?i)^{tag_prefix}([a-zA-Z0-9_-]+)-[0-9]+-sec$"
#org_id = None
# authenticating to the Meraki SDK
#sdk_auth = meraki.DashboardAPI(api_key)

# custom prefixes can be defined by the customer in order to account for 
# subnets outside the Azure effective routes table
custom_prefixes = os.environ['azure_custom_prefixes']

''' The goal is to have the new_meraki_vpns be new_meraki_vpns + custom_prefixes

        # Update Meraki VPN config
        update_meraki_vpn = MerakiConfig.sdk_auth.appliance.updateOrganizationApplianceVpnThirdPartyVPNPeers(
            MerakiConfig.org_id, new_meraki_vpns
            )

'''

''' The new logic will have the following conditional statement to account for the custom prefixes

        # if statement to check whether the length of the custom_prefixes list is greater than 0
        if len(custom_prefixes) > 0:
            new_meraki_vpns = new_meraki_vpns + custom_prefixes

        # Update Meraki VPN config
        update_meraki_vpn = MerakiConfig.sdk_auth.appliance.updateOrganizationApplianceVpnThirdPartyVPNPeers(
            MerakiConfig.org_id, new_meraki_vpns
            )

'''`

If that makes sense I can work on testing the code as this seems straightforward enough :)

SleepyWheezal commented 3 years ago

I'd be tempted to stick with Private Subnets so it matches the terminology in the Meraki Portal. I don't know enough about the Meraki APIs, I'll have to assume the rest is fine. I'm guess this is an array, so we can send assign multiple subnets?

MitchellGulledge commented 3 years ago

that makes more sense, I will work on adding and testing today/over the weekend so you should hopefully have something you can deploy with no issues next week :)

MitchellGulledge commented 3 years ago

also the entry will be a list of comma separated IPs, so like ['1.1.1.1/30', '2.2.2.2/30', '3.3.3.3/30'] Essentially a list of strings in python. Going to had some error handling in there potentially to account for typos or missed quotes.

SleepyWheezal commented 3 years ago

Hi Mitchell, do you have an idea when this might be completed?

MitchellGulledge commented 3 years ago

Apologies for delay had other priorities/escalations backlog this. Please allow me a few more days and apologies for the delay.

MitchellGulledge commented 3 years ago

Quick Update, my tests all seem to be passing so will try to get this on a public branch either tomorrow or Monday :)

SleepyWheezal commented 3 years ago

Brilliant, thanks

From: @.> Sent: 11 June 2021 06:17 To: @.> Cc: @.>; @.> Subject: Re: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

Quick Update, my tests all seem to be passing so will try to get this on a public branch either tomorrow or Monday :)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMitchellGulledge%2FMeraki-vWAN%2Fissues%2F31%23issuecomment-859272980&data=04%7C01%7C%7C630f445de2ff4605bfac08d92c983e17%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637589854649728432%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ZBvzuRYYG0pkr6eFQ3Sg2%2BGLccoG9VIhJ6nzMFvIqUc%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIY4FOXR3PWKJDNEI4WG25TTSGL7PANCNFSM44YXSOMQ&data=04%7C01%7C%7C630f445de2ff4605bfac08d92c983e17%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637589854649728432%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ajHbgZkPMPt%2ByoMb5IqKsQKbky8UddUvRi3QET5QY1Q%3D&reserved=0.

MitchellGulledge commented 3 years ago

Whenever you are ready you can try the new deployment out with this button in the page: https://github.com/MitchellGulledge/Meraki-vWAN/tree/v1API for the meraki_private_subnets field just provide a list of IPs with no quotes or brackets or anything. So for example: 1.1.1.1/30, 2.2.2.2/32

It is working fine for me now so hopefully this finds you well :)

SleepyWheezal commented 3 years ago

Thank you, I have deployed the app. However, we have an unrelated outage, so can't test it yet. I'll let you know as soon as we can.

MitchellGulledge commented 3 years ago

Hey, just wanted to circle back and see if you wanted to redeploy the app again? I made a few commits to make this more bulletproof and even updated the Meraki documentation to include this new functionality.

SleepyWheezal commented 3 years ago

Hi Mitchell

Thanks, I’ve redeployed with the latest version. It works, but I have a couple of comments.

@.***D76755.D12BAAE0]

Regards

Peter

From: @.> Sent: 21 June 2021 23:38 To: @.> Cc: @.>; @.> Subject: Re: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

Hey, just wanted to circle back and see if you wanted to redeploy the app again? I made a few commits to make this more bulletproof and even updated the Meraki documentation to include this new functionality.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMitchellGulledge%2FMeraki-vWAN%2Fissues%2F31%23issuecomment-865389701&data=04%7C01%7C%7C0bfb6d1b3c834069943008d935054420%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637599118992367661%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hOXZbYn9xeqGZnJI4OLGxbRfazKvd%2F3MnH0qjzYZVdY%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIY4FOSXHCAZHRWAZLCAQSTTT65NTANCNFSM44YXSOMQ&data=04%7C01%7C%7C0bfb6d1b3c834069943008d935054420%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637599118992367661%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BBPP7wlzNlqqDXDMlTeAGp0vHP3AOgQ9PqTHuQlPNNE%3D&reserved=0.

MitchellGulledge commented 3 years ago

So when you try to manually trigger the function vs waiting for the timer you see the 500 error? And also just so I understand you are still seeing that annoying placeholder for effective routes of 1.1.1.1/32 which doesnt affect anything but looks odd. Other than that the function appears to be working as expected?

SleepyWheezal commented 3 years ago

Yes, when I trigger the function I see the 500 error. I can’t see any problems when it runs off the timer.

From: @.> Sent: 22 June 2021 16:32 To: @.> Cc: @.>; @.> Subject: Re: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

So when you try to manually trigger the function vs waiting for the timer you see the 500 error? And also just so I understand you are still seeing that annoying placeholder for effective routes of 1.1.1.1/32 which doesnt affect anything but looks odd. Other than that the function appears to be working as expected?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMitchellGulledge%2FMeraki-vWAN%2Fissues%2F31%23issuecomment-866088709&data=04%7C01%7C%7C36dc7b1ecdf34cbef42d08d93592ef95%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637599727458153883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Mddm3wx5wZpyfx3RJlrjw6iK%2F0lGbsAkB1UiyAXhx%2B8%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIY4FOV5BUCLF57PXDODVWTTUCUIRANCNFSM44YXSOMQ&data=04%7C01%7C%7C36dc7b1ecdf34cbef42d08d93592ef95%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637599727458153883%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qnjmzar%2B7uXwDjFdOTZIpMOvIKN%2F7EnvnqL7mJKts%2F4%3D&reserved=0.

MitchellGulledge commented 3 years ago

The manual trigger makes sense, there is no path the function has when executing the manual trigger to trigger the main function. (I could be wrong, but I do not think the manual trigger is expected to work with the code as it is today) Regarding the 1.1.1.1/32 subnet I can fix that with some additional logic but you would have to redeploy the app again once I merge the fix if that is okay with you?

SleepyWheezal commented 3 years ago

Hi

That’s fine, let me know when you have made the merges.

Peter

From: @.> Sent: 22 June 2021 17:44 To: @.> Cc: @.>; @.> Subject: Re: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

The manual trigger makes sense, there is no path the function has when executing the manual trigger to trigger the main function. (I could be wrong, but I do not think the manual trigger is expected to work with the code as it is today) Regarding the 1.1.1.1/32 subnet I can fix that with some additional logic but you would have to redeploy the app again once I merge the fix if that is okay with you?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMitchellGulledge%2FMeraki-vWAN%2Fissues%2F31%23issuecomment-866153264&data=04%7C01%7C%7C715d542ae8c542b6eec608d9359d0e48%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637599770920232678%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gAvE3oR78MaDzAR8Z3dlkrIJYa8N9L63oNvRO2Qxxhg%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIY4FOQKNGNP3FWFQ6TUUP3TUC4YFANCNFSM44YXSOMQ&data=04%7C01%7C%7C715d542ae8c542b6eec608d9359d0e48%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637599770920242644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jEZkOHwezs3VT%2FHwFKebM2SjJ51%2FrcNTkCche8q8SeA%3D&reserved=0.

SleepyWheezal commented 3 years ago

Sorry, looks like we may have found an issue, we have brought on board a second site and it looks like it doesn’t pick up the private subnets for both sites. One site pickups the private subnets as expected, one site only picks up the placeholder. Behaviour was bit glitchy, essentially

I’ll leave the script running to see if this happens again tonight.

Thanks

Peter

From: Pete @.> Sent: 24 June 2021 09:47 To: @.>; @.> Cc: @.> Subject: RE: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

Hi

That’s fine, let me know when you have made the merges.

Peter

From: @.> Sent: 22 June 2021 17:44 To: @.> Cc: @.>; @.> Subject: Re: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

The manual trigger makes sense, there is no path the function has when executing the manual trigger to trigger the main function. (I could be wrong, but I do not think the manual trigger is expected to work with the code as it is today) Regarding the 1.1.1.1/32 subnet I can fix that with some additional logic but you would have to redeploy the app again once I merge the fix if that is okay with you?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMitchellGulledge%2FMeraki-vWAN%2Fissues%2F31%23issuecomment-866153264&data=04%7C01%7C%7C715d542ae8c542b6eec608d9359d0e48%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637599770920232678%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gAvE3oR78MaDzAR8Z3dlkrIJYa8N9L63oNvRO2Qxxhg%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIY4FOQKNGNP3FWFQ6TUUP3TUC4YFANCNFSM44YXSOMQ&data=04%7C01%7C%7C715d542ae8c542b6eec608d9359d0e48%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637599770920242644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=jEZkOHwezs3VT%2FHwFKebM2SjJ51%2FrcNTkCche8q8SeA%3D&reserved=0.

MitchellGulledge commented 3 years ago

That is super strange, please let me know the results and I will hold off for now making any changes until we confirm this wasnt one off. (I was pushing changes yesterday and this could have been timing with when I pushed some changes so will standby)

SleepyWheezal commented 3 years ago

Unfortunately it seems to be consistent. We have two sites and during the maintenance window one site loses its private subnets. I've attached the screen shot of the log from the Meraki side, where we can see it pushed out from the script. Let me know if there is anything else I can do to help troubleshoot.

[cid:ee1d4cdf-6f6e-4ced-a577-da2655a2482c]

From: MitchellGulledge @.> Sent: 24 June 2021 18:40 To: MitchellGulledge/Meraki-vWAN @.> Cc: SleepyWheezal @.>; Author @.> Subject: Re: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

That is super strange, please let me know the results and I will hold off for now making any changes until we confirm this wasnt one off. (I was pushing changes yesterday and this could have been timing with when I pushed some changes so will standby)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMitchellGulledge%2FMeraki-vWAN%2Fissues%2F31%23issuecomment-867827790&data=04%7C01%7C%7C568cd271e8254bfc00e308d937371e5b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637601532128484390%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=JZBBtGNmSsAEnKzt4q0GennV6N2bqToMydY3ZOsd8nw%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIY4FOSYKHOMS6XVMX7DM73TUNUXXANCNFSM44YXSOMQ&data=04%7C01%7C%7C568cd271e8254bfc00e308d937371e5b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637601532128484390%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Xpsnce3Np8ngRB1coDQbfUqOMrW6ra1jXIbS1TPtpn0%3D&reserved=0.

MitchellGulledge commented 3 years ago

I am unfortunately not able to see the screenshot, do you mind sharing your meraki S/N and I can take a look at the logs while I recreate here as well?

SleepyWheezal commented 3 years ago

We have removed the site that was having the issue, and it is now affecting the next sit on the list. It is also happening every time we perform an apply now. For info the private subnets that should be passed over are 10.12.0.0/16, 1.106.106.0/24, I'm assuming the formatting is correct. The device serial is Q2KY-R6CS-B2GG, let me know if you need anything else. Thanks

From: MitchellGulledge @.> Sent: 28 June 2021 17:37 To: MitchellGulledge/Meraki-vWAN @.> Cc: SleepyWheezal @.>; Author @.> Subject: Re: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

I am unfortunately not able to see the screenshot, do you mind sharing your meraki S/N and I can take a look at the logs while I recreate here as well?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMitchellGulledge%2FMeraki-vWAN%2Fissues%2F31%23issuecomment-869834580&data=04%7C01%7C%7C9f74f00917a647f13a5c08d93a52f439%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637604950217824816%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=22uP9yiiXV0T1s1vB8KS3d4GepXxX7R%2Blf2b%2FfN3buE%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIY4FOVODURX73VXRMDHEVDTVCQKZANCNFSM44YXSOMQ&data=04%7C01%7C%7C9f74f00917a647f13a5c08d93a52f439%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637604950217834770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=e1cwrbPfIdYrxdBbgXDq11P1U%2FN%2FJUoqwQcz%2FhTSGYQ%3D&reserved=0.

MitchellGulledge commented 3 years ago

Alright will get to the bottom of this. I have recreated this and configured the same custom subnets. I think this is going to be where I placed the logic in the loop. Will update as soon as I find more out. (Hopefully very soon)

MitchellGulledge commented 3 years ago

Think I found the issue! So in the v1API2 branch created for you the azuredeploy.json file here: https://github.com/MitchellGulledge/Meraki-vWAN/blob/v1API2/azuredeploy.json is pulling this: "variables": { "hostingPlanName": "[parameters('function_app_name')]", "storageAccountName": "[concat('storage', uniquestring(resourceGroup().id))]", "functionPackage": "https://github.com/MitchellGulledge/Meraki-vWAN/raw/v1API/MerakiFunction.zip" }, going to update this and retest

MitchellGulledge commented 3 years ago
Screen Shot 2021-06-29 at 11 01 23 AM

Looks like it worked, will continue to monitor/test but it looks good!

MitchellGulledge commented 3 years ago

want to redeploy the fun ction app and see if it works for you? I am 24 hours without any app errors.

SleepyWheezal commented 3 years ago

Hi, thank you for your work on this. I will update the function later today.

From: @.> Sent: 30 June 2021 17:58 To: @.> Cc: @.>; @.> Subject: Re: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

want to redeploy the fun ction app and see if it works for you? I am 24 hours without any app errors.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMitchellGulledge%2FMeraki-vWAN%2Fissues%2F31%23issuecomment-871574468&data=04%7C01%7C%7C3ca5b5619e60416b519e08d93be83d98%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637606690907692902%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NaVc6eXtHWKDGi3SrKMGYbpTBGbQE%2Fc3xftucy%2FZnWA%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIY4FOXUDH3PJ7HMFEOSCPTTVNEKDANCNFSM44YXSOMQ&data=04%7C01%7C%7C3ca5b5619e60416b519e08d93be83d98%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637606690907702851%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cJ%2FZq8CqUac4rWOdb9OCuFoHcizCsNJPkNRU1hu%2BjQE%3D&reserved=0.

SleepyWheezal commented 3 years ago

Hi, I’ve deployed the v1API2 branch, I’m not sure the deployment button is pointing to the correct azuredeploy file as it didn’t include the private subnet option. However I deployed by using the file in a custom template and it seems to be working. I will give it a few days and let you know.

From: @.> Sent: 30 June 2021 17:58 To: @.> Cc: @.>; @.> Subject: Re: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

want to redeploy the fun ction app and see if it works for you? I am 24 hours without any app errors.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMitchellGulledge%2FMeraki-vWAN%2Fissues%2F31%23issuecomment-871574468&data=04%7C01%7C%7C3ca5b5619e60416b519e08d93be83d98%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637606690907692902%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NaVc6eXtHWKDGi3SrKMGYbpTBGbQE%2Fc3xftucy%2FZnWA%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIY4FOXUDH3PJ7HMFEOSCPTTVNEKDANCNFSM44YXSOMQ&data=04%7C01%7C%7C3ca5b5619e60416b519e08d93be83d98%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637606690907702851%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cJ%2FZq8CqUac4rWOdb9OCuFoHcizCsNJPkNRU1hu%2BjQE%3D&reserved=0.

MitchellGulledge commented 3 years ago

strange, can you try deploying from the documentation: https://documentation.meraki.com/MX/Deployment_Guides/Cisco_Meraki_MX_Branch_to_Azure_Virtual_WAN_Deployment_Guide or is that what you did?

MitchellGulledge commented 3 years ago

I can confirm the button I had in documentation is the correct one and the github readme should just be updated for that branch. It still points to stale branch.. apologies

SleepyWheezal commented 3 years ago

Hi Mitchell

Sorry it has taken a while to get back, I had a few challenges with A/L and work. However I’ve successfully redeployed the function using the link in the doc and I haven’t seen a repeat of the issue with the private subnets. So it can be marked as resolved.

However I do have another issue, don’t know if you can shed any light on it. We have three sites setup so far and for all but the first site we get an error in the function.

2021-07-22 15:50:49.818 Could not create Virtual WAN connection. Error 2021-07-22 15:50:49.820 Response: { "error": { "code": "AnotherOperationInProgress", "message": "Another operation on this or dependent resource is in progress. To retrieve status of the operation use uri: https://management.azure.com/subscriptions/6acff128-1185-4964-bf3f-62488279fb8f/providers/Microsoft.Network/locations/uksouth/operations/13ff3b56-f49a-4ecf-919a-2f872f2e3e20?api-version=2020-05-01.", "details": [] } } Error 2021-07-22 15:50:49.821 Virtual WAN Connection for DebdenGrange could not be created, skipping to next network. Error

However despite this the site does configure correctly, the knock on being it doesn’t clear the vwan-apply-now tag.

Thanks

Peter

From: @.> Sent: 08 July 2021 05:38 To: @.> Cc: @.>; @.> Subject: Re: [MitchellGulledge/Meraki-vWAN] Private Subnets when connecting to Secure Hub (#31)

I can confirm the button I had in documentation is the correct one and the github readme should just be updated for that branch. It still points to stale branch.. apologies

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMitchellGulledge%2FMeraki-vWAN%2Fissues%2F31%23issuecomment-876118603&data=04%7C01%7C%7Cd0973a2965b944cda76608d941ca2f8b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637613158898175992%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Sr9%2Fa2VmyOJxThh4f3mh%2BxOFXaEz%2BzAClr2oEKX0rWU%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAIY4FOWZ5TDLPJH4ADVFKZDTWUTS7ANCNFSM44YXSOMQ&data=04%7C01%7C%7Cd0973a2965b944cda76608d941ca2f8b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637613158898175992%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2BgERSfnrOSbJLqKV1PRqaVIPfdlkbNCVIJFHWeeQFQs%3D&reserved=0.

MitchellGulledge commented 3 years ago

I am going to close this issue, and open a new issue with the vwan-apply-now tag not being cleared. Thanks for your patience