Meraki

Community

Replaced vMX-100 with vMX-M....and now servers in AWS cannot reach main office (autovpn)

Solved
bluecavalry
Here to help
‎Jul 9 2022 7:03 PM
‎Jul 9 2022 7:03 PM

Replaced vMX-100 with vMX-M....and now servers in AWS cannot reach main office (autovpn)

Hello Community,

We were forced into swapping out the vMX100 for a vMX-M, and now we cannot reach the servers on AWS.   It seems to be an issue with the AWS server instances' route back to the vMX-M.

 

1) YES.  autoVPN is up - able to ping LAN interface of redeployed vMX-M over autoVPN.

               * this shows that the main office can reach the AWS subnet connection directly on vMX

2) YES.  local connectivity good within AWS - able to ping servers from vMX-M

                 * this shows that the vMX is in the correct subnet - local connectivity

 

3) YES.  static AWS route changed to new to vMX-M instance for all 10.0.0.0/8 (private)

                 * this should have been the fix.  Meraki Support also thought this should be enough.

 

4) NO.  Cannot ping servers on other side of vMX-M from the main office over autoVPN.

                * this is the issue.  The servers do NOT know how to route back to the main office (over autovpn)

 

Note-1: Meraki Support verified what I am seeing via packet captures.

 

Note-2: I have console access to one of the AWS servers.  Same result.   Yes. This AWS server can ping all devices in the AWS server subnet including the vMX firewall.   NO. It canNOT ping or traceroute back over the autovpn to the main office.  Employees cannot connect to AWS servers.

 

Very simple setup.  Meraki documentation does not help with the forced redeployment of a vMX-M.  What is the issue?   How to get the AWS servers to recognize the new vMX firewall?

 

Thanks in advance to anyone who can help solve this.  I thought this was going to be a 15min upgrade. 😰

 

 

Labels:
0 Kudos
1 Accepted Solution
MyHomeNWLab
A model citizen
‎Jul 9 2022 10:49 PM
‎Jul 9 2022 10:49 PM

The routing on the AWS side seems fine, but have you disabled the "Source/Destination check"?

 

vMX Setup Guide for Amazon Web Services (AWS) - Cisco Meraki
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Amazon_Web_Services_(...

> After the instance has launched, the Source/Destination check must be disabled for the vMX.

View solution in original post

3 Replies 3
MyHomeNWLab
A model citizen
‎Jul 9 2022 10:49 PM
‎Jul 9 2022 10:49 PM

The routing on the AWS side seems fine, but have you disabled the "Source/Destination check"?

 

vMX Setup Guide for Amazon Web Services (AWS) - Cisco Meraki
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Amazon_Web_Services_(...

> After the instance has launched, the Source/Destination check must be disabled for the vMX.

In response to MyHomeNWLab
bluecavalry
Here to help
‎Jul 9 2022 11:20 PM
‎Jul 9 2022 11:20 PM

It started working.

Wow. I am so embarrassed.  With Meraki Support we rebuilt the vMX three times.   We missed checking that box on the last instance that we built.  I just "stopped" it, and now traffic is going both ways over autoVPN network.

 

Thanks to everyone who helped me out on this.

 

 

0 Kudos
In response to bluecavalry
MyHomeNWLab
A model citizen
‎Jul 9 2022 11:43 PM
‎Jul 9 2022 11:43 PM

I'm glad the problem was solved.
I have also forgotten to set it up and spent a lot of time troubleshooting.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.