Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Anyconnect to VMX issue

Solved
Gareth_Parry
Here to help
‎Feb 19 2024 3:53 AM
‎Feb 19 2024 3:53 AM

Anyconnect to VMX issue

Hi,

 

I have successfully installed a vmx in azure and created site to site VPN's from all our Meraki MX devices to the VMX. i can access resources in azure from our sites and vice versa.

 

i have setup anyconnect on the VMX and can connect successfully however i cant reach any resources in azure or our sites.

 

Azure resource range 10.0.0.0/24 with resource trying to connect 10.0.0.4

VMX resource range 10.0.2.0/24 with VMX on 10.0.2.7

anyconnect range 192.168.44.0/24 with client routing to send traffic going to destination 10.0.0.0/24

 

when i connect the anyconnect i can see the route 10.0.0.0/24 in the route details of the anyconnect client

 

when i ping 10.0.0.4 from my client connecting via anyconnect i can see traffic in the vmx packet capture for interface internet but no response found.

 

Has anybody had this before and have they solved it?

 

thanks

 

Gareth

 

0 Kudos
Subscribe
1 Accepted Solution
MartinLL
Getting noticed
‎Feb 19 2024 12:35 PM
‎Feb 19 2024 12:35 PM

Firstly, are 10.0.0.0/24 and 10.0.2.0/24 in the same VNET? If so routing between those resources are already in place by default.

Second. Did you remember to add a route to the route table attached to the subnet 10.0.0.0/24 containing 192.168.44.0/24 pointing to next hop NVA 10.0.2.7? Without BGP there is no way for azure to tell that you have that range as your client VPN range.

 

View solution in original post

Subscribe
11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 19 2024 3:58 AM
‎Feb 19 2024 3:58 AM

How are your ACL settings on Azure?
What about the routing table on Azure?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Gareth_Parry
Here to help
‎Feb 19 2024 4:06 AM
‎Feb 19 2024 4:06 AM

Hi,

 

could you expand more on this?

I have a route table attached to the subnet for 10.0.0.0/24 that has all my sites in it with the next hope IP as 10.0.2.7 (the vmx)

 

thanks

 

Gareth

0 Kudos
Subscribe
In response to Gareth_Parry
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 19 2024 4:14 AM
‎Feb 19 2024 4:14 AM

https://learn.microsoft.com/en-us/azure/virtual-network/manage-route-table

https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Gareth_Parry
Here to help
‎Feb 19 2024 4:24 AM
‎Feb 19 2024 4:24 AM

Hi,

 

thanks but not sure what to do here. i have a route table for 10.0.0.0/24 do i also need to create a route table for  10.0.2.0/24?

for the VM on 10.0.0.4 i have allowed inbound and outbound traffic from 192.168.44.0/24 and 10.0.2.0/24

 

thanks

 

Gareth

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 19 2024 11:55 AM
‎Feb 19 2024 11:55 AM

If you can't get to your other sites over AutoVPN - have you included the AnyConnect subnet in AutoVPN?

 

Does Azure have a route to your VMX for the AnyConnect subnet?

0 Kudos
Subscribe
MartinLL
Getting noticed
‎Feb 19 2024 12:35 PM
‎Feb 19 2024 12:35 PM

Firstly, are 10.0.0.0/24 and 10.0.2.0/24 in the same VNET? If so routing between those resources are already in place by default.

Second. Did you remember to add a route to the route table attached to the subnet 10.0.0.0/24 containing 192.168.44.0/24 pointing to next hop NVA 10.0.2.7? Without BGP there is no way for azure to tell that you have that range as your client VPN range.

 

Subscribe
In response to MartinLL
Gareth_Parry
Here to help
‎Feb 20 2024 3:34 AM
‎Feb 20 2024 3:34 AM

Got it!

Both 10.0.0.0/24 and 10.0.2.0/24 were in the same VNET (under the subnet section) but i had not added 192.168.44.0/24 to the routing table. added and now working as expected. thanks for this

Subscribe
In response to MartinLL
Gareth_Parry
Here to help
‎Feb 21 2024 1:04 AM
‎Feb 21 2024 1:04 AM

Having said that i'm now having issues with my site to site connections, since i set up the anyconnect VPN.

when on site i connect through the meraki site to site tunnels to a server in azure, i keep getting odd fails like "the connection has been reset" or when accessing sql "A transport-level error has occurred when receiving results from the server. (provider: Session Provider, error: 19 - Physical connection is not usable)'"

 

when i connect the anyconnect VPN whilst onsite (so the traffic goes through this and not the site to site connection), it works fine.

0 Kudos
Subscribe
In response to Gareth_Parry
MartinLL
Getting noticed
‎Feb 21 2024 1:09 AM
‎Feb 21 2024 1:09 AM

Cant see how those two are related. I assume that Azure know how to get to you Spokes? Same as with Anyconnect. You need to add your spoke ranges to the route tables as well.

0 Kudos
Subscribe
In response to MartinLL
Gareth_Parry
Here to help
‎Feb 21 2024 1:27 AM
‎Feb 21 2024 1:27 AM

yes it does. i already added the ip ranges of each of the sites to the route table with the hop via the VMX. i can ping the networks from a server in azure. its like its losing packets

0 Kudos
Subscribe
In response to Gareth_Parry
MartinLL
Getting noticed
‎Feb 21 2024 2:03 AM
‎Feb 21 2024 2:03 AM

Ok, keep in mind that SQL is very picky about latency. Other then that i dont think this is a Auto-VPN related issue.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.