Meraki

Community

vMX - Cant communicate with onsite networks

jweal8r
Here to help
‎Feb 14 2024 8:02 AM
‎Feb 14 2024 8:02 AM

vMX - Cant communicate with onsite networks

I have been playing with the vMX in AWS, deployed using the cloud integration tool.  I have the vpc and subnets setup, the route tables have been updated to allow communication back to my internal network.  I can ping an EC2 instance I stood up from my side of the network, but then from the EC2 instance I cant ping back to an internal ip... what am I missing?  

 

I have the vMX in passthrough or vpn concentrator mode

The firewall on the vMX is set to allow any inbound and out

Site to Site is on, and the aws vpc subnet is enabled

 

 

0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 14 2024 8:11 AM
‎Feb 14 2024 8:11 AM

Do you have any firewall on both sides AWS or local network?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
jweal8r
Here to help
‎Feb 14 2024 10:10 AM
‎Feb 14 2024 10:10 AM

not sure I understand your question, there are firewalls but they are set to allow everything at the moment

0 Kudos
GreenMan
Meraki Employee
Meraki Employee
‎Feb 14 2024 9:47 AM
‎Feb 14 2024 9:47 AM

You don't say much about your Spoke MX setup...   Are the VLANs at the spoke set to VPN enabled, for example?   What do you see in the MX Route table at each end?

0 Kudos
In response to GreenMan
jweal8r
Here to help
‎Feb 14 2024 10:06 AM
‎Feb 14 2024 10:06 AM

On the Site to Site VPN page I have Hub(Mesh) selected

Under VPN Settings I have the AWS VPC subnet listed with vpn enabled.

 

The route table on the MX shows Green status routes into ALL of my different subnets

 

in AWS there are routes back to the subnet I am trying to reach. 

0 Kudos
In response to jweal8r
GreenMan
Meraki Employee
Meraki Employee
‎Feb 14 2024 10:13 AM
‎Feb 14 2024 10:13 AM

But the main purpose of VMX is to make your AWS resources available to remote locations with MX appliances, via secure tunnels.   What can you see from the remote MX(s)?

0 Kudos
In response to GreenMan
jweal8r
Here to help
‎Feb 14 2024 10:26 AM
‎Feb 14 2024 10:26 AM

thats what I am trying to accomplish yes.   But does it go both ways?   Should I be able to access resources on my internal network from the AWS resources? because that is where I am having trouble

0 Kudos
In response to jweal8r
GreenMan
Meraki Employee
Meraki Employee
‎Feb 14 2024 10:58 AM
‎Feb 14 2024 10:58 AM

Yes - provided you have no VPN firewall rules configured, you should be able to establish flows in either direction.   You may be best off raising a case with Meraki Support;  having visibility of the Dashboard will be be a massive help to anyone trying to troubleshoot with you

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 14 2024 1:36 PM
‎Feb 14 2024 1:36 PM

>the EC2 instance I cant ping back to an internal ip

 

Try temporarily disabling Windows Firewall on the internal machine to make sure it is not blocking the ping.

 

Make sure the on-premise MX has the VLAN where the internal machine is located included in AutoVPN.

PhilipDAth_0-1707946562783.png

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.