Using the Cisco Meraki Device Local Status Page (2024)

Last updated
Save as PDF

Most Cisco Meraki devices have a local status page that can be accessed to makelocal configuration changes, monitor device status and channel utilization, and performlocal troubleshooting. This article provides instructions on how to access the local status page, the functions/information available on it, and how to manage and access them.

Accessing the Local Status Page

The local status page of anyMeraki device is accessible via the web browser of a host machine. By default, users are required to log in to pages that provide configurable options. The local status page uses digest authentication with Message DigestAlgorithm 5 (MD5) hashing for the connection between the administering computer and the Meraki device to protect these sensitive settings.

The authentication credentials for a device that uses the default authentication credentials or a device that has not fetched configuration willdepend on the firmware version the device is running.

MX devices running MX 19+ firmware,MS devices running MS 17+ firmware and MS390/Catalyst devices running CS 17+ firmwarewill use the usernameadminandthe password will be the serial number of the device (upper case letters and dashes).

All devices running other firmware versions will use the serial number of the device (upper case letters and dashes) as the username with no password.

As you know, Catalyst Switches thatare onboard your dashboard and operate in a Cloud Monitoring mode still run runIOS firmware. Therefore, they don't have a Local Status Page; instead,their AUX port behaves like a regular Out-Of-Band (OOB) interface. On the other hand, Catalyst Switches running in Meraki Mode runs firmware within CS family so theyhave a Local Status Page.

Authentication credentials should be changed to have a strong password after their initial use. Please see the Changing Log-In Credentials section below.

To reach MR devices, the client must be wirelessly connected to the access point(AP) using a configured service set identifier (SSID) or one of the SSIDs mentioned in the Default SSIDs section, such as"meraki-setup"SSID.However,MS and MX devices can be accessed by any device with access to their LAN IP. This is done by entering the LAN IP address in the URL bar of a web browser. Additionally, each device can be accessed by DNS name if the client traffic passes through the device while browsing the following URLs.This can be useful for determining whichAP/switch/firewall a client's traffic is going through to reach the internet.

MR-http://ap.meraki.com
MS-http://switch.meraki.com
MX-http://mx.meraki.comorhttp://wired.meraki.com
MG-http://mg.meraki.com
Any-http://setup.meraki.comorhttp://my.meraki.com

Note: TheseURLswill work for anyMeraki deviceslisted above, but will only access the first device in its path.

Since the URL abovecan be used to access the local status page, UDP port 53 is enabled on Meraki devices and will be detected as open by any scanning tool.

If access by DNS name is not possible, you can access the local status page by IP address. This isoften helpful when initiallyconfiguring thedevice on a network without DHCP, or when setting a device's IP configuration prior to deployment.

Note: MR does not provide access to the local status page via a wired connection (for example, when a client is connected directly to one of the AP's Ethernet ports) for security reasons. Refer to the subsequent section for access to local status page via SSID.

MR- 10.128.128.126
In order to access this address, configure a device with the following IP settings, and then browse the address in a web browser.
IP address: 10.128.128.125
Subnet mask: 255.255.255.0
MS :Select MS switches have a dedicated management port that can be used without needing toseta static IP on your client. When connected to the management port of a Meraki switch, your device can obtain the appropriate IP settings via DHCP. Alternatively, the following IP settings can be usedby the client device to access the Local Status Page.
- MS390andC9300-M on firmwareversions CS 16and higher:198.18.0.1
  In order to access this address, configure a device with the following IP settings, and then browsethe address in a web browser.
  IP address: 198.18.0.2
  Subnet mask:255.255.255.240
  DNS: 198.18.0.1
- MS390andC9300-M on firmwareversions CS 15.21.1 and lower:10.128.128.130
  In order to access this address, configure a device with the following IP settings, and then browsethe address in a web browser.
  IP address: 10.128.128.132
  Subnet mask:255.0.0.0
  DNS: 10.128.128.130
- All other MS switches- 1.1.1.100
  In order to access this address, configure a device with the following IP settings, and then browsethe address in a web browser.
  IP address: 1.1.1.99
  Subnet mask: 255.255.255.0
MX- (varies)
Most MX models have a dedicated management port used to access the local status page. In addition, all models can access the local status page using the MX LAN IP address.
By default, MXdevices run DHCP. Once the client is connected to a LAN interface of the MX, find the client's IP address and default gateway, then open the default gateway address in a web browser.

Note:If the MX security applianceis in passthrough mode and its uplinkis on a subnet that overlaps with a remote subnet over VPN, either the MX will need to be temporarily removed from VPN to be accessed locallyor the local status page can only be accessed via VPN.

MG - (varies)
Thelocal status page is accessible at the MG cellular gateway'sLAN IP address.By default, MGdevices run DHCP. Once the client is connected to a LAN interface of the MG cellular gateway, find the client's IP address and default gateway, then open the default gateway address in a web browser.

Local Status Page Options

Every device's status page includes useful information about the status of the device, limited configuration options (such as setting a static IP), and other tools. This section will cover what is available for each device.

MR Series

MR access points provide the following information and configuration options on their local status page:

Connection
Provides information regarding the client's connectivity to the access point, the access point'scurrent network and channels, as well as other cloud connectivity and status information.
- Speed test
  Provides a tool for conducting a speed test from the wireless client to the access point.
- Access point details
  Provides utilization information about the hardwareand the channels being used by the access point you are connected to.

The channel utilization information on the local status page is sourced from the client-serving radio. The client-serving radio on the Merakiaccess point has a counter that is updated every 20 seconds. Counters indicate how many times the AP was transmitting, receiving, and saw congestion on the channel, as well as the total cycle count. After every threeseconds, the AP reads the counters and computes the difference between the value from threeseconds ago and the new value. This difference is used to calculate the channel utilization and is displayed on the local status page.

Neighbors
Provides information about any neighboring access points. Includes information like SSID, BSSID, signal (signal-to-noise ratio inDB), channel, mode, and encryption.
Configure
Provides options for setting the IP address of the access point, putting the MRaccess point into site survey mode(seeConducting Site Surveys with MR Access Points), manual channel and power adjustment, and configuring a proxy for Merakicloud traffic.Also on this page, you can find the Download support data function (see more inSupport Data Bundle (SDB) article). This will allow you to download a special file to submit to Merakisupportfor additional troubleshooting if you are unable to get the unit online.

Note: The web proxy (HTTP proxy) option on the local status page allows specific management traffic from an MR to be directed to an HTTP proxy server instead of an AP directly reaching out to the Meraki dashboard. All APs running MR 27.X or older firmware support web proxy.

With MR 28.X and MR 29.X firmware, Wi-Fi 6 and newer APs use a Transport Layer Security (TLS) on portTCP 443to connect to the Meraki dashboard. Therefore, Wi-Fi 6 and newer APs running MR 28.X and MR 29.X firmware do not support the web proxy option.

MR 30.X added a new HTTP CONNECT proxy option for Wi-Fi 6 and newer APs. For more information, please refer to HTTP CONNECT Proxy Support on MR Access Points.

MS Series

MS switches offer the following information and configuration options on their local status page:

Connection
Provides information regarding the client's connectivity to the switch, the switch's current network, as well as other cloud connectivity and status information.

Uplink configuration
- Provides options for setting the IP address of the switch, other addressing settings, or configuring a proxy for HTTP traffic.
- The Download support data function willallow you to download a special file to submit to Merakisupportfor additional troubleshooting if you are unable to get the unit online (see more inSupport Data Bundle (SDB) article).
- Thepacket capture option will assist with troubleshooting Meraki Cloud connectivity. Additionally, there is a packet capture tool found here that will assist with troubleshooting Meraki Cloud connectivity on a switch uplink.

Note:The HTTP proxy allows all default management traffic from the Meraki device to be sent through a proxy. This does not include optional cloud communication, including Auto VPNand 802.1xauthentication traffic.HTTP proxy is no longer supported on MS 15+ firmware. Nodes that use HTTP proxy without any other means to connect to dashboard may fail to connect.

Note:The localstatuspage packet capture requires a minimum firmware version of MS16 and is only supported on a single physical port.

Additionally, the packet capture function found on the local status page has a default filter that is specific to Meraki Cloud Connectivity requirements and will not capture or display anything outside of that filter. This filter is not configurable.

This filter is set to capture the following traffic patterns to/from the switch MAC which were determined to be critical to Meraki Cloud connectivity:

ARP,
DHCP (UDP 67/68)
DNS (TCP/UDP 53)
ICMP (type 0, 3 and 8)
UDP 7351
HTTPS (TCP 443)
LLDP

MX Series with Single Dedicated WAN Link

MX security appliances with single dedicated WAN links offer the following information and configuration options on their local status pages:

Connection
Provides information regarding the client's connectivity to the appliance, the appliance's current network, uplink status, as well as other cloud connectivity and status information.
- Speed test
  Provides a tool for conducting a speed test from the client to the appliance.

NOTE:The speed test functionality has been deprecated and removed as of MX18 firmware releases and later on all platforms, regardless of uplink types or counts.

Configure
- Provides options for setting the IP address of the appliance on its WAN interfaces, enabling WAN port 2, other addressing settings, or configuring a proxy for HTTP traffic.
- The Download support data function willallow you to download a special file to submit to Merakisupportfor additional troubleshooting if you are unable to get the unit online (see more inSupport Data Bundle (SDB) article).

Ethernet
Allows local changes to the speed/duplex settings of the internet/WAN and LAN ports.

MX Series with Multiple Dedicated WAN Links

MX security appliances with multiple dedicated WAN links offer the following information and configuration options on their local status pages:

Connection
Provides information regarding the client's connectivity to the appliance, the appliance's current network, uplink status, as well as other cloud connectivity and status information.
- Speed test
  Provides a tool for conducting a speed test from the client to the appliance.

NOTE:The speed test functionality has been deprecated and removed as of MX18 firmware releases and later on all platforms, regardless of uplink types or counts.

Configure
- Provides options for setting the IP address of the appliance on its WAN interfaces, other addressing settings, or configuring a proxy for HTTP traffic.
- The Download support data function willallow you to download a special file to submit to Merakisupportfor additional troubleshooting if you are unable to get the unit online (see more inSupport Data Bundle (SDB) article).

Ethernet
Allows local changes to the speed/duplex settings of the internet/WAN and LAN ports.

MX Series with Multiple Dedicated SFP WAN Links

MX security appliances with dedicated Small-Form Factor Plugable (SFP) WAN links offer the following information and configuration options on their local status pages:

Connection
- Provides information regarding the client's connectivity to the appliance, the appliance's current network, uplink status, as well as other cloud connectivity and status information.
- Speed test
  Provides a tool for conducting a speed test from the client to the appliance.
- The Download support data function willallow you to download a special file to submit to Merakisupportfor additional troubleshooting if you are unable to get the unit online (see more inSupport Data Bundle (SDB) article).

NOTE:The speed test functionality has been deprecated and removed as of MX18 firmware releases and later on all platforms, regardless of uplink types or counts.

Configure

Provides options for setting the IP address of the appliance on its WAN interfaces, enabling WAN port 2, other addressing settings, or configuring a proxy for HTTP traffic.

Ethernet
Allows local changes to the speed/duplex settings of the internet/WAN and LAN ports.

Note:Navigating to http://wired.meraki.com or http://mx.meraki.com when directlyconnected to a LAN port on a spare MX security appliance inactive MX warm spare deployments will present the local status page of the primary MX appliance. The spare must be disconnected from the LAN in order to access its local status page. This does not apply to MX security appliance models with a dedicated management port, as their local status page can be accessed directly using that port.

MX Series with Wireless

The Local Status Page tabs and navigation instructions are the same as for their non-wirelessMX modelversion presented above. In addition, the Connection tab provides information similar toan MR device's LSP.

MX Series with Integrated Cellular

The Local Status Page tabs and navigation instructions are the same as for their non-cellular MXmodel version presented above. Furthermore, the tabs can display information similar to what's described below for an MG device's LSP.

MG Series

Note:The speed test functionality on the local status page is deprecated on all MG cellular gateway devices starting with MG 3.1+ firmware.

MG21

MG21cellular gatewayprovides the following information and configuration options on their local status page:

Connection
Provides information regarding the client's connectivity to the MG cellular gateway, including the current cellular network status, cloud connectivity, and signal information.

Connection page from MG 1.11 onwards:

The connection statisticsis moved to Cellular Status Page

Cellular Status
- Speed test
  Provides a tool for conducting a speed test from the client to the gateway.The speed test functionality on the local status page is deprecated on all MG cellular gateway devices starting withMG 3.1+firmware.

Configure
Configure section contains options for modifying bearer settings such as Access Point Name (APN), PIN, and authentication. The Integrated Circuit Card Identifier(ICCID)of the SIM card and International Mobile Station Equipment Identity (IMEI) of the MG cellular gateway can also be found in this section as well. Safe Mode portionallows you to reconfigure port 1 into a WANrole for troubleshooting. To toggle port 1 from default operating mode intoSafe modeon the MG, check the box to Enable Safe Mode and save.

Note: The MG cellular gatewaywill perform a soft reset on both interfaces immediately after saving port 1 role change. For example, this isinsimilar fashion to the MX security appliance when enabling thesecondary WAN port on an MX64. It is recommended to toggle this change when out of production hours to prevent disruption of network connectivity.

Default Mode
This is the default mode that MG cellular gateway will be configured without-of-the-box orwhen a factory reset is performed.In default mode, the standard operation and roles of both ports on the MG cellular gateway are set asLAN ports. The left graphicshows both ports in their default role as LAN interfaces. Note the AC adapter port on the right side of port 1 for orientation.

Enabling Safe Mode
MG cellulargatewayscan beconfigured to have port 1as a WANuplink. The safe modeconfiguration allows for additional troubleshooting and firmware upgrades for pre-staging if a valid working cellular is unavailable.When in safe modemode,port 1 is converted into aWAN port to allow connection into a switch, router, or otheruplink.Similar to an MR access point, when plugged into a switchdevice itwill attempt to obtain a valid IP and reach out to the dashboard.When there is a valid wired network connection on port 1, the wired interfacewill take priority over thecellular interface even if the cellular interface is functioning properly.The right graphichighlights the port 1 configuration in the role as a WAN1 interface when enabling safe mode.

Note:When using safe mode, it is recommended to have access to a valid working internet-accessiblenetwork to allowthe cellular gateway to check in andpull configurations and firmware. Additionally, the MG cellulargatewayis not intended to be used in this mode for production.This mode is reserved as atroubleshooting tool for Support to assist with cellular interface issues and to allow the cellular gateways topull firmware upgrades without using cellular data. The dashboard will display an alert when the MG cellular gateway is configured in safe mode.

Access point Name Configurationcan be configured whenclicking on the cellular override drop-down menu.
Web proxy allows all default management traffic from the Meraki device to be sent through a proxy.
Download support datafunction willallow you to download a special file to submit to Merakisupportfor additional troubleshooting if you are unable to get the unit online (see more inSupport Data Bundle (SDB) article).

Ethernet
Allows local changes to the speed/duplex settings of the LAN ports.

Note:On the MG 1.11 beta, the Connection tab now only presents basic information about the carrier, APN, and signal strength. A new Cellular Status tab presents additionalinformation on the status of the cellular connection.

MG41

Cellular Status
The cellular statistics is moved to a new "Cellular Status" tab on the MG41.

Configure
The MG41 also provides an option to switch the SIM slot. If there is more than oneactive SIM card, its possible to set the APN settings for the standby SIM card in advance. If the primary SIM card needs special/private APN settingsdifferent from what the MG41is currently using, then the "Override Primary SIM" settingcan be used to override the necessary APN.
APN Configuration on Newer Firmware
On new versions of firmware, the Local Status Page offers two APN configuration options from the "Cellular Override" dropdown:
- "User Meraki Dashboard SIM settings" which has no text entry field below it.
- "Override Meraki Dashboard settings" which will leave space for you to enter an APN, as well as another box for entering IPv4/IPv6 preferences andusername/password settings.

Differences Between Old and New APN configurations Settings Compared
"Override Meraki Dashboard settings" works exactly as "Override SIM settings"did in the past, allowingyouto configure an APNwithout a dashboard connection and has been renamed to emphasize its difference from the other option which is not functionally the same as the previous "Don't Override SIM settings" option.
- "Use Meraki Dashboard SIM settings" is a functionally newoption which disables previously configured LSP APN configurations in favor of using the ones sent by the dashboard. It therefore acts as an “undo” button of sorts.

The MG41 has two PoE ports; however, the LAN1 port can be converted to WAN1using the Safe Mode option for additional troubleshooting.

Note - The MG41 does not support the SIMPIN feature as of yet. The feature will be added in the upcoming software releases.

Configuring the Local Status Page

The following dashboard configuration options may be used to control access to the local status page:

Changing Log-In Credentials

As mentioned in the Accessing the Local Status Pagesection above, the default credentials for the local status page should be modified to use an administrator-defined password. Navigate to Network-wide > Configure > General > Device configuration and provide a strong password. This password can then be used with the username "admin" to access certain pages, including the local status page. Note that the password you set will apply to all devices in your network.

Note: You canreset your local status page password back to default: delete the current passwordand then save the change;password willbe back to defaultafter your device gets new configuration from your Dashboard.

Controlling Remote Access to the Local Status Page

On MX series devices,by default, access to the local status page is only available to devices via the LAN IP address(es). However, it is possible to allow access via the WAN/internet IP as well.

Navigate to Security & SD-WAN >Configure > Firewall > Layer 3 > WAN appliance services.
In the field for Web(local status & configuration), enter "any" to allow access from any remote IPs,or enter address ranges in CIDR notationsseparated by commas.
Ex. 192.168.13.73/32, 192.168.47.0/24
Click Save Changes.

For all other devices, the local status page can be accessed by IP after enabling remote device status pages on the Network-wide > Configure >General page. This allows you to connect to the local status page of a Meraki device via its LAN IP over the network.

Disabling the Local Status Page

Though the local status page is enabled by default, administrators do have the option to disable the local status pageon their devices.

Note:The local status page allows administrators to change the IP configuration of theirMeraki devices. If the local status page is disabled and a device's current IP configuration does not allow it to contact the cloud controller, the only option will be to perform a factory reset and clear the local configuration (Resetting Cisco Meraki Devices to Factory Defaults article).

The option to enable/disable the local status page is available in the dashboard underNetwork-wide > General > Device configuration.

Note:If your device has aphysical managementport, itwill always remain active regardless of the value of this setting.

Troubleshooting the Local Status Page

Cannot connect to the local status page URLwhen wired

All DNS queries for setup.meraki.com (or any other local status page URL)that route through the MX or MS areintercepted and responded to with an "Arecord" pointing to the local IP address of the device's local status pageinterface.If DNS queries for setup.meraki.com(or any other local status page URL) do not pass through the Meraki device in question, the DNS queries will not resolve to the correct local IP address and clients will not be able to reach the local status page. You may also get anerror (example) shownbelow due to DNS not resolving to the local IP of Meraki device.

If a client is unable to resolve the local status page, be sure to checkthe following:

Client is connected to the network and is within the same subnet as the Meraki device.
DNS is set to the Meraki device IPor to a DNS server that will route through the Meraki device
Try all relevant local status page URLs (see top of this article)
Try incognito/private browsing to eliminate potential caching issues

This issue frequently occurs when the DNS server used by clients on the LAN does not send its DNS queries through the MX, as is the case when the DNS server uses a different default gateway. If this is the case,it can be resolved by either pointing the DNS server through the MX or by creating a specific "A record" in the DNS server to point the appropriate local status page URL to the correct device IP.

If the local status page URLs are still unreachable for some reason, the local status page can also be reached by going to the LAN IP of the device through a web browser. For more information about connecting to the local status page using a static IP, see theAccessing the Local Status Page section at the top of this article.

Cannot connect to the local status page when connected to an SSID

Both ap.meraki.com and my.meraki.com are locally-hosted sites useful for configuring an access point (AP) when it cannot reach the Meraki Cloud. This is often seen on a static, non-DHCP network or when there are strict firewall rules. After a Cisco MerakiAP has lost its connection to the Internet but is still receiving power, it will broadcast a default Service Set Identifier (SSID) that can be connected to for administrative tasks.

Connect to the default SSID by completing the following steps:

Physically inspect the AP
1. Check that the AP has power(see the LED codes section of MR installation Guides)
2. Copy the MAC address (see the Locating the MAC Address of Cisco Meraki Devices article).
Check for available wireless networks
1. Check if a known default SSID is being broadcast
If a default SSID is being broadcast, connect your device to it
If no known default SSIDs are present, set up a manual wireless network connection
1. For the SSID name, use 'meraki-<MAC_Address>', for example'meraki-xx:xx:xx:xx:xx:xx'.Replace the x's with the AP's MAC address in lower case

If a Meraki Access Point does not have a configuration from the Meraki Cloud Controller it will instead broadcast a default SSID of "Meraki-Scanning." The AP takes an address of 10.128.128.128, the SSID runs DHCP, and it will try to assign any clients that associate with it an address. This is merely to provide a connection between a client and the AP to allow for local configuration.

After connecting, open a web browser and connect to one of the localstatus page addresses
A list of the administrative tasks which are available to use can be found on the Using the Cisco Meraki Device Local Status Page article.

Default SSIDs

Potentialknown defaultSSID names along with potential causes/solutions:

<SSID_name>-bad-gateway

Cause: An AP's configured default gateway has failed to respond to 15 consecutive ARP requests.

Solution: Check the AP's IP address configuration and reachability to its default gateway.

<SSID_name>-connecting

Cause: An AP's SSID that is configured to use a VPN concentrator is unable to connect.

Solution: Verify connectivity to the concentrator using the tools in dashboard. Also, confirm that your local firewall is not blocking the connection.

<SSID_name>-scanning

Cause: Similar to 'bad-gateway', an AP is unable to connect to its default gateway.

Solution: Check the AP's IP address configuration and reachability to its default gateway.

Meraki Setup

Cause: An AP has never connected to the Meraki Cloud Controller (MCC) or has been factory reset.

Solution: Establish MCC connectivity for the AP by ensuring appropriate Internet access.

Note: MR46 (and other Wi-Fi 6 and newer APs) might not broadcast any of the default SSIDs out-of-the-box when running a factory firmware if an AP cannot acquire an IP address (e.g., networks without a DHCP server available).

In this scenario, the local status page cannot be used for an initial IP configuration, and the AP must be connected to the network with the DHCP server so the AP can connect to the dashboard.

IPv6 Support on MX Security & SD-WAN Platforms

LAN

The MX security appliance'slocal status pagecan be accessed using IPv6 via the browser by using the IPv6 address of an IPv6-enabled VLAN.

The local status page will report the existingIPv6 address of the uplink(s).IPv6 uplinkcannot be configured staticallyvia the local status page.

PPPoE

When configuring PPPoE through the local status page, both IPv4 and IPv6 will be negotiated in the same PPP session.

Similarly as to how we can manually set up the IPv4 address of our end of the PPP connection, it’s possible to configure a static link-local IPv6 address to be used in the PPP tunnel.

In the unlikely scenario where negotiating both IPv4 and IPv6 in the same PPP session causes the ISP to make the whole session fail, it’s possible to disable IPv6 over PPPoE by using the magic keyword “disabled” in the “IPv6 link-local address” field.

Refer to the main document: