Meraki

Community

Issues resolving DNS queries with vMX in concentrator mode

Solved
AFarnsworth
Conversationalist
‎May 15 2024 10:18 PM
‎May 15 2024 10:18 PM

Issues resolving DNS queries with vMX in concentrator mode

We currently have a vMX in Routed mode because of some headaches concentrator mode has been causing but I am hoping to flip back to concentrator mode soon to resolve some issues caused by not having bidirectional traffic.

 

Our current setup is:

 

On prem (10.1.0.0/24) -> Meraki MX (10.1.0.1) -> S2S VPN -> vMX (10.2.0.1) -> AWS Transit Gateway -> Server VPC (10.3.0.0/24)

 

The server VPC route table is:

10.1.0.0/24 -> Transit Gateway

10.2.0.0/24 -> Transit Gateway

10.3.0.0/24 local

 

TGW route table:

10.1.0.0/24 -> vmx vpc

10.2.0.0/24 -> vmx vpc

10.3.0.0/24 -> server vpc

 

vMX VPC route table is:

10.1.0.0/24 -> vMX ENI

10.2.0.0/24 local

10.3.0.0/24 -> Transit Gateway

 

Security groups and nacls are wide open for testing this but DNS servers that live in the server VPC will not respond to clients on-prem and I am genuinely am out of ideas as to why they won't respond.

 

I can send ICMP packets bidirectionally w/o issue but DNS packets just won't send past the VMX. Not sure where else to look but has anyone else experienced anything similar?

Labels:
0 Kudos
1 Accepted Solution
AFarnsworth
Conversationalist
‎May 20 2024 7:08 AM
‎May 20 2024 7:08 AM

Hey all, appreciate all the info. Found out that it was because I have the site-to-site VPN setup as the default route after being in concentrator mode. After flipping that everything worked as expected. Thanks!

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 16 2024 2:08 AM
‎May 16 2024 2:08 AM

The #1 most common I run into when investigating these is - Windows Firewall.  Try disabling Windows Firewall on the server.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 16 2024 2:11 AM
‎May 16 2024 2:11 AM

Also, have you added the VPC supernet under Local Networks in the Meraki Dashboard under site-to-site VPN settings?

 

PhilipDAth_0-1715850652975.png

 

0 Kudos
VictorYang
Meraki Employee
Meraki Employee
‎May 16 2024 8:04 PM
‎May 16 2024 8:04 PM

If the ICMP ping is bidirectional that would proof at least the routing is ok. I would suggest you check the firewall rules on meraki site to site VPN, AWS and the server end to check if there is any rules might block the traffic.

You may take a packet capture on the VMX end and filter out DNS to check if the respond DNS has forwarded to VMX or not to narrow down

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
AFarnsworth
Conversationalist
‎May 20 2024 7:08 AM
‎May 20 2024 7:08 AM

Hey all, appreciate all the info. Found out that it was because I have the site-to-site VPN setup as the default route after being in concentrator mode. After flipping that everything worked as expected. Thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.