Using the Cisco Meraki Device Local Status Page

Most Cisco Meraki devices have a local status page that can be accessed to make local configuration changes, monitor device status and channel utilization,
and perform local troubleshooting. This article provides instructions on how to access the local status page, the functions/information available on it, and how to
manage and access them.

Accessing the Local Status Page

The local status page of any Meraki device is accessible via the web browser of a host machine. By default, users are required to log in to pages that provide
configurable options. The local status page uses digest authentication with Message Digest Algorithm 5 (MD5) hashing for the connection between the
administering computer and the Meraki device to protect these sensitive settings.

The username for devices that have default authentication credentials or have not fetched configuration will be the serial number (upper case letters and
dashes) with no password. Authentication credentials should be changed to have a strong password after their initial use. Please see the Changing Log-In
Credentials section below.

To reach MR devices, the client must be wirelessly connected to the access point (AP) using a configured service set identifier (SSID) or the "meraki-
setup" SSID. However, MS and MX devices can be accessed by any device with access to their LAN IP. This is done by entering the LAN IP address in the URL
bar of a web browser. Additionally, each device can be accessed by DNS name if the client traffic passes through the device while browsing the following
URLs. This can be useful for determining which AP/switch/firewall a client's traffic is going through to reach the internet.

• MR - http://ap.meraki.com
• MS - http://switch.meraki.com
• MX - http://mx.meraki.com or http://wired.meraki.com
• MG - http://mg.meraki.com
• Any - http://setup.meraki.com or http://my.meraki.com

Note: These URLs will work for any Meraki devices listed above, but will only access the first device in its path.

Since the URL above can be used to access the local status page, UDP port 53 is enabled on Meraki devices and will be detected as open by any
scanning tool.

If access by DNS name is not possible, you can access the local status page by IP address. This is often helpful when initially configuring the device on a
network without DHCP, or when setting a device's IP configuration prior to deployment.

Note: MR does not provide access to the local status page via a wired connection (for example, when a client is connected directly to one of the AP's
Ethernet ports) for security reasons. Refer to the subsequent section for access to local status page via SSID.

• MR - 10.128.128.126
In order to access this address, configure a device with the following IP settings, and then browse the address in a
web browser.
IP address: 10.128.128.125

1
 Subnet mask: 255.255.255.0
• MS - 1.1.1.100
In order to access this address, configure a device with the following IP settings, and then browse the address in a
web browser.
IP address: 1.1.1.99
Subnet mask: 255.255.255.0

Note: Select MS switches have a dedicated management port that can be used without needing to set a static IP on your client.

• MS390 - 10.128.128.130
In order to access this address, configure a device with the following IP settings, and then browse the address in a
web browser.
IP address: 10.128.128.132
Subnet mask:255.0.0.0
DNS: 10.128.128.130

Note: MS390 switch does have a dedicated management port however, in the scenario where you are not able to access the local status page,
please configure the above static settings on your device to get to the local status page.

• MX - (varies)
Most MX models have a dedicated management port used to access the local status page. In addition, all models
can access the local status page using the MX LAN IP address.
By default, MX devices run DHCP. Once the client is connected to a LAN interface of the MX, find the client's IP
address and default gateway, then open the default gateway address in a web browser.

Note: If the MX security appliance is in passthrough mode and its uplink is on a subnet that overlaps with a remote subnet over VPN, either the MX
will need to be temporarily removed from VPN to be accessed locally or the local status page can only be accessed via VPN.

• MG - (varies)
The local status page is accessible at the MG cellular gateway's LAN IP address. By default, MG devices run
DHCP. Once the client is connected to a LAN interface of the MG cellular gateway, find the client's IP address and
default gateway, then open the default gateway address in a web browser.

Local Status Page Options

Every device's status page includes useful information about the status of the device, limited configuration options (such as setting a static IP), and other tools.
This section will cover what is available for each device.

MR Series
MR access points provide the following information and configuration options on their local status page:

• Connection
Provides information regarding the client's connectivity to the access point, the access point's current network and
channels, as well as other cloud connectivity and status information.

2
◦ Speed test
Provides a tool for conducting a speed test from the wireless client to the access point.
◦ Access point details
Provides utilization information about the hardware and the channels being used by the access point you are
connected to.

3
 The channel utilization information on the local status page is sourced from the client-serving radio. The client-serving radio on the Meraki access
point has a counter that is updated every 20 seconds. Counters indicate how many times the AP was transmitting, receiving, and saw congestion on
the channel, as well as the total cycle count. After every three seconds, the AP reads the counters and computes the difference between the value
from three seconds ago and the new value. This difference is used to calculate the channel utilization and is displayed on the local status page.

• Neighbors
Provides information about any neighboring access points. Includes information like SSID, BSSID, signal (signal-to-
noise ratio in DB), channel, mode, and encryption.
• Configure
Provides options for setting the IP address of the access point, putting the MR access point into site survey
mode (see Conducting Site Surveys with MR Access Points), manual channel and power adjustment, and
configuring a proxy for Meraki cloud traffic. Also on this page, you can find the Download support data function (see
more in Support Data Bundle (SDB) article). This will allow you to download a special file to submit to
Meraki support for additional troubleshooting if you are unable to get the unit online.

Note: The web proxy (HTTP proxy) option on the local status page allows specific management traffic from an MR to be directed to an HTTP proxy
server instead of an AP directly reaching out to the Meraki dashboard. All APs running MR 27.X or older firmware support web proxy.

With MR 28.X and MR 29.X firmware, Wi-Fi 6 and newer APs use a Transport Layer Security (TLS) on port TCP 443 to connect to the Meraki
dashboard. Therefore, Wi-Fi 6 and newer APs running MR 28.X and MR 29.X firmware do not support the web proxy option.

MR 30.X added a new HTTP CONNECT proxy option for Wi-Fi 6 and newer APs. For more information, please refer to HTTP CONNECT Proxy
Support on MR Access Points.

4
MS Series
MS switches offer the following information and configuration options on their local status page:

• Connection

5
 Provides information regarding the client's connectivity to the switch, the switch's current network, as well as other
cloud connectivity and status information.

• Uplink configuration
◦ Provides options for setting the IP address of the switch, other addressing settings, or configuring a proxy for
HTTP traffic.
◦ The Download support data function will allow you to download a special file to submit to Meraki support for
additional troubleshooting if you are unable to get the unit online (see more in Support Data Bundle (SDB)
article).
◦ The packet capture option will assist with troubleshooting Meraki Cloud connectivity. Additionally, there is a
packet capture tool found here that will assist with troubleshooting Meraki Cloud connectivity on a switch
uplink.

Note: The HTTP proxy allows all default management traffic from the Meraki device to be sent through a proxy. This does not include optional cloud
communication, including Auto VPN and 802.1x authentication traffic.

Note: The local status page packet capture requires a minimum firmware version of MS16 and is only supported on a single physical port.

6
 Additionally, the packet capture function found on the local status page has a default filter that is specific to Meraki Cloud Connectivity requirements
and will not capture or display anything outside of that filter. This filter is not configurable.

This filter is set to capture the following traffic patterns to/from the switch MAC which were determined to be critical to Meraki Cloud connectivity:

• ARP,
• DHCP (UDP 67/68)
• DNS (TCP/UDP 53)
• ICMP (type 0, 3 and 8)
• UDP 7351
• HTTPS (TCP 443)
• LLDP

• Switch port status

Provides information regarding the configuration and status of ports on this switch.

7
• Switch ports configuration
Provides options for limited configuration changes on switch ports, including enabled/disabled, native VLAN, and
link negotiation.

8
MX Series with Single Dedicated WAN Link
MX security appliances with single dedicated WAN links offer the following information and configuration options on their local status pages:

• Connection
Provides information regarding the client's connectivity to the appliance, the appliance's current network, uplink
status, as well as other cloud connectivity and status information.
◦ Speed test
Provides a tool for conducting a speed test from the client to the appliance.

NOTE: The speed test functionality has been deprecated and removed as of MX18 firmware releases and later on all platforms, regardless of uplink
types or counts.

• Configure
◦ Provides options for setting the IP address of the appliance on its WAN interfaces, enabling WAN port 2, other
addressing settings, or configuring a proxy for HTTP traffic.
◦ The Download support data function will allow you to download a special file to submit to Meraki support for

9
 additional troubleshooting if you are unable to get the unit online (see more in Support Data Bundle (SDB)
article).

Note: The HTTP proxy allows all default management traffic from the Meraki device to be sent through a proxy. This does not include optional cloud
communication, including Auto VPN and 802.1x authentication traffic.

• Ethernet
Allows local changes to the speed/duplex settings of the internet/WAN and LAN ports.

10
MX Series with Multiple Dedicated WAN Links
MX security appliances with multiple dedicated WAN links offer the following information and configuration options on their local status pages:

• Connection
Provides information regarding the client's connectivity to the appliance, the appliance's current network, uplink
status, as well as other cloud connectivity and status information.
◦ Speed test
Provides a tool for conducting a speed test from the client to the appliance.

NOTE: The speed test functionality has been deprecated and removed as of MX18 firmware releases and later on all platforms, regardless of uplink
types or counts.

11
• Configure
◦ Provides options for setting the IP address of the appliance on its WAN interfaces, other addressing settings, or
configuring a proxy for HTTP traffic.
◦ The Download support data function will allow you to download a special file to submit to Meraki support for
additional troubleshooting if you are unable to get the unit online (see more in Support Data Bundle (SDB)
article).

Note: The HTTP proxy allows all default management traffic from the Meraki device to be sent through a proxy. This does not include optional cloud
communication, including Auto VPN and 802.1x authentication traffic.

12
• Ethernet
Allows local changes to the speed/duplex settings of the internet/WAN and LAN ports.

13
MX Series with Multiple Dedicated SFP WAN Links
MX security appliances with dedicated Small-Form Factor Plugable (SFP) WAN links offer the following information and configuration options on their local
status pages:

• Connection
◦ Provides information regarding the client's connectivity to the appliance, the appliance's current network, uplink
status, as well as other cloud connectivity and status information.

14
 ◦ Speed test
Provides a tool for conducting a speed test from the client to the appliance.
◦ The Download support data function will allow you to download a special file to submit to Meraki support for
additional troubleshooting if you are unable to get the unit online (see more in Support Data Bundle (SDB)
article).

NOTE: The speed test functionality has been deprecated and removed as of MX18 firmware releases and later on all platforms, regardless of uplink
types or counts.

• Configure

Provides options for setting the IP address of the appliance on its WAN interfaces, enabling WAN port 2, other addressing settings, or configuring a
proxy for HTTP traffic.

Note: The HTTP proxy allows all default management traffic from the Meraki device to be sent through a proxy. This does not include optional cloud
communication, including Auto VPN and 802.1x authentication traffic.

15
• Ethernet
Allows local changes to the speed/duplex settings of the internet/WAN and LAN ports.

16
17
 Note: Navigating to http://wired.meraki.com or http://mx.meraki.com when directly connected to a LAN port on a spare MX security appliance in active
MX warm spare deployments will present the local status page of the primary MX appliance. The spare must be disconnected from the LAN in order
to access its local status page. This does not apply to MX security appliance models with a dedicated management port, as their local status page
can be accessed directly using that port.

MX Series with Wireless

The Local Status Page tabs and navigation instructions are the same as for their non-wireless MX model version presented above. In addition, the Connection
tab provides information similar to an MR device's LSP.

MX Series with Integrated Cellular

The Local Status Page tabs and navigation instructions are the same as for their non-cellular MX model version presented above. Furthermore, the tabs can
display information similar to what's described below for an MG device's LSP.

MG Series

Note: The speed test functionality on the local status page is deprecated on all MG cellular gateway devices starting with MG 3.1+ firmware.

MG21
MG21 cellular gateway provides the following information and configuration options on their local status page:

• Connection

Provides information regarding the client's connectivity to the MG cellular gateway, including the current cellular network status, cloud connectivity, and
signal information.

18
Connection page from MG 1.11 onwards:

19
The connection statistics is moved to Cellular Status Page

• Cellular Status

20
 ◦ Speed test

Provides a tool for conducting a speed test from the client to the gateway. The speed test functionality on the local status page is deprecated on all MG
cellular gateway devices starting with MG 3.1+ firmware.

• Configure

Configure section contains options for modifying bearer settings such as Access Point Name (APN), PIN, and authentication. The Integrated Circuit
Card Identifier (ICCID) of the SIM card and International Mobile Station Equipment Identity (IMEI) of the MG cellular gateway can also be found in this
section as well. Safe Mode portion allows you to reconfigure port 1 into a WAN role for troubleshooting. To toggle port 1 from default operating mode
into Safe mode on the MG, check the box to Enable Safe Mode and save.

Note: The MG cellular gateway will perform a soft reset on both interfaces immediately after saving port 1 role change. For example, this is in similar
fashion to the MX security appliance when enabling the secondary WAN port on an MX64. It is recommended to toggle this change when out of
production hours to prevent disruption of network connectivity.

21
◦ Default mode

This is the default mode that MG

cellular gateway will be configured
with out-of-the-box or when a factory
reset is performed. In default mode, the
standard operation and roles of both
ports on the MG cellular gateway are
set as LAN ports. The left graphic shows both ports in their default role as LAN interfaces. Note the AC adapter port on the right side of port 1
for orientation.

◦ Enabling Safe Mode

MG cellular gateways can be configured to have port 1 as a WAN uplink. The safe mode configuration allows for additional troubleshooting
and firmware upgrades for pre-staging if a valid working cellular is unavailable. When in safe mode mode, port 1 is converted into a WAN port
to allow connection into a switch, router, or other uplink. Similar to an MR access point, when plugged into a switch device it will attempt to
obtain a valid IP and reach out to the dashboard. When there is a valid wired network connection on port 1, the wired interface will take priority
over the cellular interface even if the cellular interface is functioning properly. The right graphic highlights the port 1 configuration in the role as
a WAN1 interface when enabling safe mode.

Note: When using safe mode, it is recommended to have access to a valid working internet-accessible network to allow the cellular gateway
to check in and pull configurations and firmware. Additionally, the MG cellular gateway is not intended to be used in this mode for
production. This mode is reserved as a troubleshooting tool for Support to assist with cellular interface issues and to allow the cellular
gateways to pull firmware upgrades without using cellular data. The dashboard will display an alert when the MG cellular gateway is
configured in safe mode.

◦ Access point Name Configuration can be configured when clicking on the cellular override drop-down menu
◦ Web proxy allows all default management traffic from the Meraki device to be sent through a proxy

22
 ◦ Download support data function will allow you to download a special file to submit to Meraki support for
additional troubleshooting if you are unable to get the unit online (see more in Support Data Bundle (SDB)
article).

Ethernet

Allows local changes to the speed/duplex settings of the LAN ports.

23
 Note: On the MG 1.11 beta, the Connection tab now only presents basic information about the carrier, APN, and signal strength. A new Cellular
Status tab presents additional information on the status of the cellular connection.

MG41
Cellular Status

The cellular statistics is moved to a new "Cellular Status" tab on the MG41.

24
25
Configure

The MG41 also provides an option to switch the SIM slot. If there is more than one active SIM card, its possible to set the APN settings for the standby SIM card
in advance. If the primary SIM card needs special/private APN settings which is different from what the MG41 is currently using, then the override primary SIM
setting can be used to override the necessary APN.

The MG41 has two PoE ports; however, the LAN1 port can be converted to WAN1 using the Safe Mode option for additional troubleshooting.

Note - The MG41 does not support the SIM PIN feature as of yet. The feature will be added in the upcoming software releases.

26
Configuring the Local Status Page
The following dashboard configuration options may be used to control access to the local status page:

Changing Log-In Credentials

As mentioned in the Accessing the Local Status Page section above, the default credentials for the local status page are the serial number of the device (upper-
case letters with dashes) for the username, and a blank password. After their initial use these default credentials should be modified to use an administrator-
defined password. Navigate to Network-wide > Configure > General > Device configuration and provide a strong password. This password can then be
used with the username "admin" to access certain pages, including the local status page. Note that the password you set will apply to all devices in your
network.

Controlling Remote Access to the Local Status Page

On MX series devices, by default, access to the local status page is only available to devices via the LAN IP address(es). However, it is possible to allow access
via the WAN/internet IP as well.

1. Navigate to Security & SD-WAN > Configure > Firewall > Layer 3 > WAN appliance services.
2. In the field for Web (local status & configuration), enter "any" to allow access from any remote IPs, or enter
address ranges in CIDR notations separated by commas.
Ex. 192.168.13.73/32, 192.168.47.0/24
3. Click Save Changes.

For all other devices, the local status page can be accessed by IP after enabling remote device status pages on the Network-wide > Configure > General
page. This allows you to connect to the local status page of a Meraki device via its LAN IP over the network.

Disabling the Local Status Page

Though the local status page is enabled by default, administrators do have the option to disable the local status page on their devices.

Note: The local status page allows administrators to change the IP configuration of their Meraki devices. If the local status page is disabled and a
device's current IP configuration does not allow it to contact the cloud controller, the only option will be to perform a factory reset and clear the local
configuration (Resetting Cisco Meraki Devices to Factory Defaults article).

The option to enable/disable the local status page is available in the dashboard under Network-wide > General > Device configuration.

Note: If your device has a physical management port, it will always remain active regardless of the value of this setting.

Troubleshooting the Local Status Page

Cannot connect to the local status page URL when wired

All DNS queries for setup.meraki.com (or any other local status page URL) that route through the MX or MS are intercepted and responded to with an

27
"A record" pointing to the local IP address of the device's local status page interface. If DNS queries for setup.meraki.com (or any other local status page
URL) do not pass through the Meraki device in question, the DNS queries will not resolve to the correct local IP address and clients will not be able to reach the
local status page. You may also get an error (example) shown below due to DNS not resolving to the local IP of Meraki device.

If a client is unable to resolve the local status page, be sure to check the following:

• Client is connected to the network and is within the same subnet as the Meraki device.
• DNS is set to the Meraki device IP or to a DNS server that will route through the Meraki device
• Try all relevant local status page URLs (see top of this article)
• Try incognito/private browsing to eliminate potential caching issues

This issue frequently occurs when the DNS server used by clients on the LAN does not send its DNS queries through the MX, as is the case when the DNS
server uses a different default gateway. If this is the case, it can be resolved by either pointing the DNS server through the MX or by creating a specific "A
record" in the DNS server to point the appropriate local status page URL to the correct device IP.

If the local status page URLs are still unreachable for some reason, the local status page can also be reached by going to the LAN IP of the device through a
web browser. For more information about connecting to the local status page using a static IP, see the Accessing the Local Status Page section at the top of
this article.

Cannot connect to the local status page when connected to an SSID

Both ap.meraki.com and my.meraki.com are locally-hosted sites useful for configuring an access point (AP) when it cannot reach the Meraki Cloud. This is often
seen on a static, non-DHCP network or when there are strict firewall rules. After a Cisco Meraki AP has lost its connection to the Internet but is still receiving
power, it will broadcast a default Service Set Identifier (SSID) that can be connected to for administrative tasks.

Connect to the default SSID by completing the following steps:

1. Physically inspect the AP

a. Check that the AP has power (see the LED codes section of MR installation Guides)
b. Copy the MAC address (see the Locating the MAC Address of Cisco Meraki Devices article).
2. Check for available wireless networks
a. Check if a known default SSID is being broadcast
3. If a default SSID is being broadcast, connect your device to it
4. If no known default SSIDs are present, set up a manual wireless network connection
a. For the SSID name, use 'meraki-<MAC_Address>', for example 'meraki-xx:xx:xx:xx:xx:xx'. Replace the x's
with the AP's MAC address in lower case

28
 If a Meraki Access Point does not have a configuration from the Meraki Cloud Controller it will instead broadcast a default SSID of "Meraki-Scanning."
The AP takes an address of 10.128.128.128, the SSID runs DHCP, and it will try to assign any clients that associate with it an address. This is merely
to provide a connection between a client and the AP to allow for local configuration.

5. After connecting, open a web browser and connect to one of the local status page addresses

6. A list of the administrative tasks which are available to use can be found on the Using the Cisco Meraki Device Local Status Page article.

Default SSIDs
Potential known default SSID names along with potential causes/solutions:

<SSID_name>-bad-gateway

Cause: An AP's configured default gateway has failed to respond to 15 consecutive ARP requests.

Solution: Check the AP's IP address configuration and reachability to its default gateway.

<SSID_name>-connecting

Cause: An AP's SSID that is configured to use a VPN concentrator is unable to connect.

Solution: Verify connectivity to the concentrator using the tools in dashboard. Also, confirm that your local firewall is not blocking the connection.

<SSID_name>-scanning

Cause: Similar to 'bad-gateway', an AP is unable to connect to its default gateway.

Solution: Check the AP's IP address configuration and reachability to its default gateway.

Meraki Setup

Cause: An AP has never connected to the Meraki Cloud Controller (MCC) or has been factory reset.

Solution: Establish MCC connectivity for the AP by ensuring appropriate Internet access.

Note: MR46 (and other Wi-Fi 6 and newer APs) might not broadcast any of the default SSIDs out-of-the-box when running a factory firmware if an AP
cannot acquire an IP address (e.g., networks without a DHCP server available).

In this scenario, the local status page cannot be used for an initial IP configuration, and the AP must be connected to the network with the DHCP
server so the AP can connect to the dashboard.

IPv6 Support on MX Security & SD-WAN Platforms

LAN
The MX security appliance's local status page can be accessed using IPv6 via the browser by using the IPv6 address of an IPv6-enabled VLAN.

The local status page will report the existing IPv6 address of the uplink(s). IPv6 uplink cannot be configured statically via the local status page.

29
PPPoE
When configuring PPPoE through the local status page, both IPv4 and IPv6 will be negotiated in the same PPP session.

30
Similarly as to how we can manually set up the IPv4 address of our end of the PPP connection, it’s possible to configure a static link-local IPv6 address to be
used in the PPP tunnel.

In the unlikely scenario where negotiating both IPv4 and IPv6 in the same PPP session causes the ISP to make the whole session fail, it’s possible to disable
IPv6 over PPPoE by using the magic keyword “disabled” in the “IPv6 link-local address” field.

31
Refer to the main document: IPv6 Support on MX Security & SD-WAN Platforms [Core Fundamentals]

32