Meraki

Community

vMX Medium - Azure - Site-to-Site tunnels never build

Concertium
Comes here often
‎Dec 30 2022 10:33 AM
‎Dec 30 2022 10:33 AM

vMX Medium - Azure - Site-to-Site tunnels never build

Hello All,

 

I have had 2 support calls on this topic and have been told it needs to go to development. This just can't be, everyone deploying this device would have the same issue.

 

Fresh deployment, out-of-the-box will not build a 3rd party tunnel (not auto vpn).

 

Is anyone else having this issue?

0 Kudos
9 Replies 9
Inderdeep
Kind of a big deal
Kind of a big deal
‎Dec 30 2022 10:57 AM
‎Dec 30 2022 10:57 AM

@Concertium : not sure if this helps you 

https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
In response to Inderdeep
Concertium
Comes here often
‎Dec 30 2022 11:54 AM
‎Dec 30 2022 11:54 AM

Yes, we have done the deployment many times.

After you deploy a fresh version. The vMX will not build tunnels.

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 30 2022 11:38 AM
‎Dec 30 2022 11:38 AM

Let me get this straight, you want to set up a Non-Meraki VPN on a vMX, would that be it?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Concertium
Comes here often
‎Dec 30 2022 11:57 AM
‎Dec 30 2022 11:57 AM

Yes, we have tried a Non-Meraki Firewall (WatchGuard and FortiGate) and a Meraki Firewall MX95 (outside org) and the vMX does not respond/reply to packets.

0 Kudos
In response to Concertium
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 30 2022 12:00 PM
‎Dec 30 2022 12:00 PM

Meraki is updating its device-to-cloud connectivity to an architecture that was crafted from the ground up to provide even greater security and simplicity for connectivity.

 

So, you have to follow this:

 

  • Preshared secret must be greater than 14 characters 
  • Authentication cannot be MD5 
  • Diffie-Hellman Group must be 14 
  • Phase 2 encryption cannot be NULL 
  • PFS can be configured to be either off or 14 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Concertium
Comes here often
‎Dec 30 2022 12:09 PM
‎Dec 30 2022 12:09 PM

Correct. IKEv2 and RemoteID in use

Concertium_0-1672430926801.png

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 2 2023 12:46 PM
‎Jan 2 2023 12:46 PM

When you deploy the VMX, you need to make sure you don't select a zone so that a "Basic IP SKU" is used for the VMX.

https://community.meraki.com/t5/Documentation-Feedback-Beta/VMX-with-client-VPN-or-AnyConnect/m-p/14... 

 

If you check your VMX and find the IP address is a "Standard IP SKU" then you'll need to delete and re-deploy the VMX.

0 Kudos
In response to PhilipDAth
Concertium
Comes here often
‎Jan 3 2023 1:54 PM
‎Jan 3 2023 1:54 PM

Thanks for your reply.

 

Both AnyConnect and Client VPN, work without issue. We are not using a zone. it is set to "None" The IP using a "Basic" SKU

 

The problem is with Site-to-Sites tunnels not working

0 Kudos
rabusiak
Getting noticed
‎Jan 19 2023 8:41 AM
‎Jan 19 2023 8:41 AM

So far I setup only one tunnel with non-Meraki peer (virtual ASA) and I was fighting with it for couple of days.
Switching to IKEv1 and tunnel goes up right away.

There must be a reason why they keep this "red beta sign" next to the filed where you can change IKE version 😉

rabusiak_0-1674146456800.png

I would also leave Remote ID empty. Was forced to used Remote ID only once in my lifetime - when setting up tunnel between PaloAlto and vyOS nva few years back.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.