Solved: MX100 AMP Blocking Microsoft Update and Java Update - Page 2

enchesiah · ‎10-13-2017

We bought 2X MX100 Security Appliance (retail price at $4999 each + License ). Currently running at the latest Stable firmware 12.24 and It blocks all device from downloading windows update and Adobe update even thou I whitelist all known Microsoft update sites. Meraki solution

1) Disable Amp ( Risk of getting Malware )

2) Upgrade firmware to V14 BETA. ( Running critical production network on BETA Firmware? )

Anyone have better workaround please help !

enchesiah · ‎10-13-2017

yes 12.24

Sorry i cannot share my L3/7 rule here. preety basic..only blocking few /32 ip. CF blocking P2P, Video and Gaming

Philip D'Ath · ‎10-13-2017

I think you might be affected by the IP Reputation/URL filtering issue. This was resolved in 13.3. I think you should upgrade to the beta firmware.

You can read about the issue here:

https://documentation.meraki.com/MX-Z/Content_Filtering_and_Threat_Protection/Content_Filtering/Content_Filtering_Troubleshooting

"Sometimes, sites will be blocked even though their URL category is not blocked. Usually this happens when the IP has a bad reputation but the URL reputation is good. This happens commonly with very large domains like Google that own many IP addresses and sometimes purchase new IP addresses that have not yet been re-categorized to take their new owner into consideration. In situations like this, these IPs sometimes have a category of 'Phishing and Other Frauds,' or various other categories that may actually be blocked:"

enchesiah · ‎10-13-2017

Meraki support told me that V13 will not even solve my issue. I have to schedule a firmware update and they need to manually push V14 for this issue to be resolve. But its on Bata. Scary. I just dont understand why Cisco Meraki cannot make a windows update to work on a stable firmware?

NWArikLev · ‎10-13-2017

I would assign a group policy only to the server to disable AMP just for those devices. Then try windows update again.

PT5 · ‎10-13-2017

Seen similar problem with MX64/65/84.

Found that it corrected by turning AMP off, waiting a bit (minutes) then turning it back on, this allowed updates to proceed.

Havent seen the problem in a while, so may have been covered in a recent update - we are running typically newer than stable release.

Ryan-Zimmerle · ‎10-13-2017

@enchesiah I wrote out a really lengthy reply and added screenshots, it now disappeared or was removed, did you get a chance to see that reply?

enchesiah · ‎10-13-2017

I saw it on my email and Im trying to reply and then its gone on the forum .. someone deleted it maybe for privacy issue? Its funny that it works for you but not me. I did not have the chance to look at your screenshot. I guess i have no choice but to upgrade to the new beta firmware... im sure it will work. Worst case Revert back to V12. Thank you again for all your help !!

Ryan-Zimmerle · ‎10-13-2017

@enchesiah

I am not sure what it was removed, there was nothing in there that was a privacy concern. Anyway, earlier I was testing with a Win 7 box, when I tested with a Win 10 box, bam right away Windows Update broke. I am running MX 12.24 on this MX 100, I moved the client over to my MX 250 running MX 14.XX and right away the updates started working. I can confirm there is an issue here and I was able to replicate it exactly as you described.

Ryan

enchesiah · ‎10-13-2017

Yes its a known issue i guess... just not happy with Meraki ignoring this major issue for so long... Its been going on for months... their only solution is by upgrading to the Beta firmware. Why is there not a stable version that has this issue resolved? Why does paid customer production network needs to be their lab rat? Anyway ill update to V14. Thank you for doing all this for me !!

ekrileyinvestments · ‎11-30-2018

This is STILL and issue (11/2018). We haven't been able to access any Windows updates for over a month. We did have AMP enabled at our colo (MX 100 running 13.33) How TF can this be an open issue with production firmware Meraki? Not being able to update Windows is almost criminal. Disabled AMP on the network and updates are working.

Nolan H. · ‎11-30-2018

@ekrileyinvestments

I understand the frustration, however I think it might be OK now to upgrade to 14.X if your willing. That seems to have fixed the issue based on others from this thread.

ekrileyinvestments · ‎11-30-2018

This will be the third *major* issue that we've encountered this year where the fix was installing beta firmware. That's nuts.

enchesiah · ‎11-30-2018

Disabling AMP for 10 min and enable it works for me. Try that.

CarolineS-Meraki · ‎10-13-2017

Hi @enchesiah and @Ryan-Zimmerle -
Apologies about the message getting deleted - our community's spam filter is a bit over-active and it flagged that post. I added it back. I'm also looking into how to tone down the filter!
Cheers!
- Caroline

Ryan-Zimmerle · ‎10-13-2017

Hello @CarolineS1,

Thank you for jumping in here and letting us know, so nice to have some Cisco Meraki presence here.