Azure vMX anyconnect clients to Azure resources

Kimmo2onenet
Here to help

Azure vMX anyconnect clients to Azure resources

I seem to have an issue when we deploy a vMX at Azure.
It spins up without any issues and L2L auto VPN works fine, we deploy AnyConnect VPN at it and can reach all the spokes and hubs from it with no issues.... but....

 

When you try to reach any Azure resources I can't see the traffic ever leaving any other interface than the AnyConnect VPN interface when I do a packet capture, and the client doesn't get any replies... ( of course )

Is there some routing needed on the vMX to get that to work, or is it so that the 3rd part responsible for Azure setups have missed something in routing on Azure side... ( I don't have access to that part at this customer... )

 

eg.
Azure anyconnect VPN net 10.1.1.0/23
MX IP at azure ( 1 interface outside ) 10.2.0.4/24
Azure resources 172.16.100.0/24 ( .5 for target for testing)

( yeah fake IP series used for this example 😉

4 REPLIES 4
alemabrahao
Kind of a big deal
Kind of a big deal

Is the VPN client IP range allowed in the network security group on Azure?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

They ( 3rd party -  that has access not me ... ) claim so yes and a route in the Meraki resource group pointing the VPN client net behind the IP on the device. 

Ask them to review these settings:

 

https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure#Azure...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you added the Azure subnets to the "local networks" page on the VMX?

 

Do the Azure subnets show up in the VMX route table?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.