Meraki

Community

Can't route to vMX in AWS from the office

Solved
Juraj7
Here to help
‎Apr 19 2023 4:42 PM
‎Apr 19 2023 4:42 PM

Can't route to vMX in AWS from the office

Scenario:

I got one MX68 in the office and 2 vMX in AWS cloud in different regions. There are servers in each region that I'm trying to connect to. All devices are in routed mode.

 

Devices connect via VPN without any issues.

 

Problem:

One arm configuration of vMX has me assigning IP address outside of the AWS subnet. This works for AnyConnect VPN and users can dial in to either vMX and authenticate via AD (routing to servers works). Issue now is that the site office is sending any traffic to the servers via internet, instead of VPN. When trying to add route, it complaints that there's no subnet defined and simply refuses. 

 

How to go about it?

 

for better visualisation:

MX68 (office): 192.168.0.0/24 (device 192.168.0.1)

vMX region1: 10.0.0.0/16 (device AWS assigned IP: 10.0.12.143)

vMX region2: 10.50.0.0/16 (deice AWS assigned IP: 10.50.1.42

 

I've tried to set the Meraki IP in Addressing & VLAN to the same IP as AWS assigned but it wasn't routing to my AD for authentication.

I've set it to outside of any AWS subnet which works for AD authentication and client VPN but then running into issues described above - office traffic routes via internet 

I've set the Meraki IP within AWS subnet but different IP that's not AWS assigned to 10.0.12.144. It wasn;t routing correctly and I got no responses and no VPN users authenticated via AD

 

thanks

0 Kudos
1 Accepted Solution
Juraj7
Here to help
‎Apr 26 2023 3:40 AM
‎Apr 26 2023 3:40 AM

thanks for assistance all. The issue was that there was no vMX template in a second region so we used AWS site-to-site VPN and VPC peering to get the connectivity going at the beginning. This has interfered with Meraki's routing and was the cause of the issues.

 

After removing all site-to-site VPNs and VPC peering I've changed all the routing back to respective vMXs and it all started to flow beautifully.

View solution in original post

0 Kudos
20 Replies 20
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 19 2023 5:37 PM
‎Apr 19 2023 5:37 PM

Are you sure that you have a site to site VPN with AWS?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Juraj7
Here to help
‎Apr 19 2023 5:39 PM
‎Apr 19 2023 5:39 PM

I don't believe I said that.. I have mesh VPN between all Meraki devices.

0 Kudos
In response to Juraj7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 19 2023 5:45 PM
‎Apr 19 2023 5:45 PM

Great, Will I configure the vMX so that the networks participate in the VPN?

 

Screenshot_20230419-214358.png

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Juraj7
Here to help
‎Apr 19 2023 5:57 PM
‎Apr 19 2023 5:57 PM

I did not and when I enquired with support (ticket still opened) they said it's not necessary. VPN connectivity seems fine.. I understood that as a single exit which we don't want. Not all traffic is routed via VPN, only VPN traffic (split tunnel)

msedge_Um0P5aC1my.png

 

0 Kudos
In response to Juraj7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 19 2023 6:02 PM
‎Apr 19 2023 6:02 PM

Yes it is, otherwise you won't have the routes to the destination networks in your office's MX routing table. I think that was a misguided response on their part.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to Juraj7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 19 2023 6:16 PM
‎Apr 19 2023 6:16 PM

What I'm trying to say is that you don't need to configure any interface or route on your office's MX, Just configure vMX region1: 10.0.0.0/16 and vMX region2: 10.50.0.0/16 networks to participate on auto VPN and the routes will be added automatically on your office's MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Juraj7
Here to help
‎Apr 19 2023 6:22 PM
‎Apr 19 2023 6:22 PM

Meraki says that I do need it.. if you have vMX, what did you put in? Same IP as the device, different but same AWS subnet or something outside of your AWS subnet?

msedge_fTuIbJwfH9.png

0 Kudos
In response to Juraj7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 19 2023 6:26 PM
‎Apr 19 2023 6:26 PM

Just configure vMX region1: 10.0.0.0/16 and vMX region2: 10.50.0.0/16 networks to participate on auto VPN and the routes will be added automatically on your office's MX. You don't need any additional configuration, buddy.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Juraj7
Here to help
‎Apr 19 2023 6:28 PM
‎Apr 19 2023 6:28 PM

But the system won't let me accept no entry or empty entry - I need to have value. Can you post screenshot from your setup? Seems unlikely that you were able to do it...

0 Kudos
In response to Juraj7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 19 2023 6:32 PM
‎Apr 19 2023 6:32 PM

Go to Security & SD-WAN > Configure > Site-to-site VPN and enable that.

 

alemabrahao_0-1681954343910.png

 

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Juraj7
Here to help
‎Apr 19 2023 6:36 PM
‎Apr 19 2023 6:36 PM

I have that enabled.

msedge_gWmpbDVwiC.png

0 Kudos
In response to Juraj7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 19 2023 6:37 PM
‎Apr 19 2023 6:37 PM

And how about your MX68 network 192.168.0.0/24?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Juraj7
Here to help
‎Apr 19 2023 6:39 PM
‎Apr 19 2023 6:39 PM

also enabled

msedge_QXg0ThqQDb.png

0 Kudos
In response to Juraj7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 19 2023 6:44 PM
‎Apr 19 2023 6:44 PM

So, there is not any additional configuration. Are you trying to access your devices on AWS by IP or by name? 

If you perform a traceroute what is the result?

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Juraj7
Here to help
‎Apr 19 2023 6:49 PM
‎Apr 19 2023 6:49 PM

by IP. As mentioned above, when I have the Meraki IP set as the device, it doesn't NAT out due to one-arm configutration. If I set it to outside of AWS subnet, it routes correctly for the client VPN users but my office device only sends to that subnet, which is outside of 10.50.0.0/16 and 10.0.0.0/16 respectively. So this is what I'm trying to square primarily...

0 Kudos
In response to Juraj7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 20 2023 4:06 AM
‎Apr 20 2023 4:06 AM

Here you can check how to troubleshoot it:

 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 19 2023 6:28 PM
‎Apr 19 2023 6:28 PM

And you have to do the same for your MX68 network 192.168.0.0/24, just enable on auto VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 20 2023 2:22 PM
‎Apr 20 2023 2:22 PM

For a VMX, you need to add the routes (10.0.0.0/16 and 10.50.0.0/16) under:

Security & SD-WAN/Site-to-site VPN/VPN Settings/Local networks

 

PhilipDAth_0-1682025757754.png

 

0 Kudos
In response to PhilipDAth
Juraj7
Here to help
‎Apr 25 2023 4:39 PM
‎Apr 25 2023 4:39 PM

It's already defined correctly there...

0 Kudos
Juraj7
Here to help
‎Apr 26 2023 3:40 AM
‎Apr 26 2023 3:40 AM

thanks for assistance all. The issue was that there was no vMX template in a second region so we used AWS site-to-site VPN and VPC peering to get the connectivity going at the beginning. This has interfered with Meraki's routing and was the cause of the issues.

 

After removing all site-to-site VPNs and VPC peering I've changed all the routing back to respective vMXs and it all started to flow beautifully.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.