Meraki

Community

vMX AWS bi-directional communication

Solved
OSPF71
Here to help
‎Nov 21 2022 11:03 AM
‎Nov 21 2022 11:03 AM

vMX AWS bi-directional communication

Set up a vMX for the first time in our AWS account. Can communicate from any subnet in our corporate LAN to the windows servers on our VPC, but cannot communicate from the servers to any subnet beyond the vMX. Thought it was a ACL rule somewhere. Have tried explicitly allowing icmp but must be missing something simple. Any ideas from AWS experts?

 

0 Kudos
1 Accepted Solution
OSPF71
Here to help
‎Dec 1 2022 4:00 AM
‎Dec 1 2022 4:00 AM

After placing a ticket with AWS and verifying that the AWS side of the network was configured correctly, I submitted a case to Meraki support. Thanks to the tech who had me place the vMX into pass-through mode from routed in deployment settings. Just added the local AWS subnet to be advertised and it works as expected now.

View solution in original post

0 Kudos
5 Replies 5
MyHomeNWLab
A model citizen
‎Nov 21 2022 4:20 PM
‎Nov 21 2022 4:20 PM

1. What is the Mode of vMX?
I was curious because the default vMX mode has recently changed.

 

vMX Setup Guide for Amazon Web Services (AWS) - Cisco Meraki
https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Amazon_Web_Services_(...

> Change in default behaviour
>
> All new vMXens deployed post October, 31, 2022 will be deployed in Routed/NAT Mode Concentrator by default, existing vMX deployments will not be effected. If you wish to use the vMX in passthrough mode, please change the deployment settings to Passthrough or VPN Concentrator mode from the Security& SD-WAN > Configure > Addressing & VLANs page.

 


2. Have you set up a Route Table for return traffic on your AWS VPC?
When configured in Limited NAT mode, only communication from the corporate LAN to the Windows Server on AWS is possible without setting a return route.

Conversely, the AWS side will not be able to communicate with the corporate LAN.

The reason is that in Limited NAT mode, addresses on the corporate LAN side are hidden by the source NAT.

0 Kudos
In response to MyHomeNWLab
OSPF71
Here to help
‎Nov 22 2022 5:19 AM
‎Nov 22 2022 5:19 AM

The vMX is in default mode per the guide you reference, which I used to configure and deploy the vMX. As far as the route table, yes, I added a route table with all available subnets with the target as the vMX instance.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 22 2022 12:35 PM
‎Nov 22 2022 12:35 PM

The #1 problem I run into with this issue is  - Windows firewall on the host.  Try disabling it temporarily to see if the issue is resolved.

 

Do you have any Meraki organisation VPN firewall rules that could be at play?

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior 

 

>Can communicate from any subnet in our corporate LAN to the windows servers on our VPC, but cannot communicate from the servers to any subnet beyond the vMX.

 

I don't clearly understand.  You can talk to the machines in the VPC behind the Meraki VMX.  Are these other machines you can not talk to located in the same VPC or a different VPC?  Have all the subnets (at least in the same VPC) got the same AWS route table associated?

0 Kudos
In response to PhilipDAth
OSPF71
Here to help
‎Nov 22 2022 12:55 PM
‎Nov 22 2022 12:55 PM

The #1 problem I run into with this issue is  - Windows firewall on the host.  Try disabling it temporarily to see if the issue is resolved.

 

-That was the very first thing I did before looking at ACL's and Security group settings.

 

Do you have any Meraki organisation VPN firewall rules that could be at play?

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior 

 

-None

 

>Can communicate from any subnet in our corporate LAN to the windows servers on our VPC, but cannot communicate from the servers to any subnet beyond the vMX.

 

I don't clearly understand.  You can talk to the machines in the VPC behind the Meraki VMX.  Are these other machines you can not talk to located in the same VPC or a different VPC?  Have all the subnets (at least in the same VPC) got the same AWS route table associated?

 

Currently, the vMX is setup as a spoke connected to a specific data center hub. I can communicate from any subnet in the corporate LAN that is connected to that DC hub, to the servers in the VPC. The servers and vMX are in the same subnet. The subnet is associated with the routing table. The servers in the VPC need to talk to the servers in the DC hub but cannot. Looks like traffic is dropping off at the vMX.

0 Kudos
OSPF71
Here to help
‎Dec 1 2022 4:00 AM
‎Dec 1 2022 4:00 AM

After placing a ticket with AWS and verifying that the AWS side of the network was configured correctly, I submitted a case to Meraki support. Thanks to the tech who had me place the vMX into pass-through mode from routed in deployment settings. Just added the local AWS subnet to be advertised and it works as expected now.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.