Meraki

Community

Routing issue with VMX and MX67

MACnCheese
New here
Tuesday
Tuesday

Routing issue with VMX and MX67

Hello,

I’m currently facing an issue I haven’t been able to resolve for several weeks.

I have a Meraki vMX deployed in Azure, intended to replace an older MX100. My goal is to route traffic from a branch MX67 through the vMX, which should then provide access to internal resources over an existing IPsec tunnel from Azure to our internal firewall.

Current Setup:

  • The vMX is online in the Meraki dashboard.

  • From the vMX, I can ping internal resources (e.g., 20.200.30.5).

  • The MX67 is configured to use the vMX as a Hub in the Site-to-Site VPN.

  • A static route for internal networks is set on the vMX, with VPN enabled.

  • An Azure route table is in place: 20.0.0.0/8 is routed to the Virtual Network Gateway (for the IPsec connection to on-prem).

  • On Azure, the IPsec tunnel is up between the vMX's VNet and the internal firewall.

Issue:

  • Devices behind the MX67 cannot reach internal servers (e.g., 20.200.30.5).

  • From a client connected to the MX67, a tracert to 20.200.30.5 stops at the local gateway (20.200.60.129), the traffic doesn’t even reach the vMX.

  • The MX67 can ping the vMX's LAN and WAN interfaces (20.200.40.4 and 20.200.55.4), but nothing beyond.

IP Overview:

  • vMX WAN: 20.200.55.4

  • vMX LAN: 20.200.40.4

  • MX67 LAN Gateway: 20.200.60.129

  • Internal Server: 20.200.30.5

    the IP addresses I mentioned are placeholders only – we're not permitted to post actual IPs publicly. You can assume this is all within a private/internal network space

 

Is there anything on the MX67 that could prevent VPN-routed traffic from being forwarded to the vMX? Should I adjust anything in Azure routing or the Meraki VPN settings to get this working?

 

Any suggestions or ideas on what to check would be greatly appreciated.

Thanks in advance!

Labels:
0 Kudos
4 Replies 4
rhbirkelund
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

Have you configured your 20.200.30.5 networks as a Local network on the vMX, and enabled it in AutoVPN? If you do not see the Azure subnets in the route table of your MX67, it's not being announced from the vMX.

 

Besides this, isn't 20.0.0.0/8 a publicly announced subnet being used on the Internet?

https://ipinfo.io/ips/20.0.0.0/8

I would avoid using publicly routed ip addresses as private addresses...

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
MACnCheese
New here
Tuesday
Tuesday

the IP addresses I mentioned are placeholders only – we're not permitted to post actual IPs publicly. You can assume this is all within a private/internal network space.

 

That said, the vMX has our entire internal network defined as a Local Network, and Auto VPN is enabled accordingly. Apologies for any confusion caused

 

0 Kudos
IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
Wednesday
Wednesday

Hi @MACnCheese ,

 

As @rhbirkelund has mentioned. Ensure the subnet/vlan on the MX67 is enabled for VPN. See below guide for detailed steps.

 

https://documentation.meraki.com/MX/Networks_and_Routing/Configuring_VLANs_on_the_MX_Security_Applia...

 

 


Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
In response to IvanJukic
MACnCheese
New here
Wednesday
Wednesday

Hi 
We have it enabled. 
If we set our MX100 as a hub for the MX67 everything works fine, just as soon as we change to the VMX it stops.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.