Meraki. Why I'll never use them again.

If you are not in the market for a firewall, APs or switch bail now. If you are and considering Meraki, might want to read the below and do some googling. Its a bit long, sorry...

Back many moons ago I posted about a Meraki device I acquired. At first I was impressed with them, but that was before I started actually using them in a production environment.

Fast forward 2 or 3 years of using them and I am now of the opinion they are a steaming pile of _____. The hardware itself may be ok but everything beyond that has been a horrible experience.

For a small shop without the resources or skill set, I could see why someone might want to consider them. Even in that situation I would highly encourage someone to look elsewhere, such as Ubiquiti Network's offerings, which I have deployed for some side contract clients and they have been problem free and happy ever since.

I could go on at length about the things I perceive as problem areas with them but the items below is why I'll never deal with them again. Buyt me a beer and I'll entertain you more. ;)

1. Licensing. This model is setup to extort, blackmail and be as clear as mud to the customer. Look at this and tell me how it makes sense. Its almost amusing listening to them try and explain it as if it was perfectly legit.

- we bought an MX100 for our VPN requirements. 1 year license

- acquired a MX65 with 3 year license for the wifi fw.

For about a year these were under the same 'network' on their dashboard. I went to apply another year license to the MX100 when it still had 40 days of support left on it according the dashboard. When I applied the license it said it would expire in about 7 months. Scratching my head, I give them a call. In my mind we have over a year left on the MX65 and I just added another year of support to the MX100, why less than a year?

After talking to them and listening at length about 'co termination' BS and how they are shared, which still didn't add up in my mind, I asked "if we spit them so they are not sharing licenses, will this fix things?" The answer was similar to "yes, then each license will reflect the full amount"..

So I split the networks.. After that was done I applied the 1 year license, in my mind with about 30 days remaining on the support for the MX100, adding a MX100 1 year support license should give me about 390 days of support. Instead it was 309 days!!! WTF, how does that work?

Then I look at my MX64 dashboard and see it says it'll expire NEXT month! Wait, we should still have about a year on that one....

So I ask "whats up here, please explain"...

The answer I get back is they are "sharing their time". The optics suggest they straight up ripped us off for about 2 years of support.

I'm still working with them on this in an effort to understand or correct, maybe common sense will prevail but confidence is low. I've never seen a more cantankerous licensing model in my life. Talk about smoke and mirrors and making it as complex as possible. The internet is full of people complaining about this, for a while I thought I was the only one who didn't "get it"...

How does applying a new 1 year license end up extending it by only 309 days on the MX100 and makes the MX65 expire what appears to be 11 months prematurely? So odd...

One guy got a free "life time license" but after he started using it and added more Meraki devices, his life time license morphed into a 3 year license and Merakie's answer to that was "that makes sense"... ( https://community.spiceworks.com/topic/1425017-meraki-licensing-not-so-nice )

2. No insight. I have opened about 20 tickets over the last 2 years for things I could of easily looked into myself. But because they offer no access to the device, you can't view debug logs or any other problem solving / investigation yourself without involving them.

3. Support. its a bunch of kids it appears. I noticed the Meraki was literately scanning our internal networks. Every day we would get 100's of messages that the MX100 was connecting to port 7 on all our internal machines. I open a ticket and the answer I get back after several weeks of back and forth (at one point support said "that's not port 7, that's the window size of the packet") A network support team who doesn't understand basic networking or able to decode a simple packet trace.. great. They claim the Meraki is connecting to my internal machines because we are using AD to authenticate.. ???? ok....

Then they ask me "I see the account ads_proxy is used by a lot of machines, can you tell us about that account?". ads_proxy is the account we use to bind to the AD. How do they know all our internal machines are using that account to bind to the AD? This is a VPN device, there are no default routes to it. It concerns me they have such insight to our internal network. Were they doing unauthorized queries to our AD of some sort? It seems dirty and bad. I can't even add a rule to prevent this.

tldr. :)

-g