vMX VPN Concentrator with Azure initial setup

roberc
New here

vMX VPN Concentrator with Azure initial setup

This morning I set up a vMX - S following this guide:

https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure

 

The vMX is connected to my dashboard and shows online.  I've set it to VPN Concentrator Mode.  Set to HUB in Site-to-Site VPN settings and added my two subnets (my VM subnet and the subnet the actual vMX device is on) in the Site-to-Site VPN settings Local addresses.  Both of these subnets are defined in my Virtual Network on the Azure side.

 

The Site-to-Site vpn is up between my physical MXs and the vMX (according the dashboard anyway).  I can ping the private IP of vMX from my physical clients and my VMs can ping the vMX.  However, my physical clients can't reach anything on the VM subnet and my VMs can't reach anything on the other side of the vMX.

 

I'm suspecting I didn't properly configure something in the "Additional Azure Route Table Configuration" step of the setup guide.  I set up a route with my VM Subnet defining it's next hop to be the private ip of the vMX and associated the VM Subnet, but I feel like I should need to create a route pointing the vMX back to the VM Subnet?  I'm not sure. 

 

According to the guide I should be finished, but I see no clients associated with the vMX network in the Meraki Dashboard (client tracking set to IP) and no traffic is passing my site-to-site VPNs.

 

Does anyone have any advice for troubleshooting?

3 Replies 3
roberc
New here

Update:

For some reason I read the guide as to put the local VM subnet as the destination address here

roberc_0-1721244386071.png

I fixed that to now send the traffic destined to the remote subnets to the vMX.  My VMs can ping my physical clients now, but physical clients still cannot reach the VMs.

ChileFlake
New here

did you find a solution ?

Mark_S
Meraki Employee
Meraki Employee

Hi roberc,

 

The best option to troubleshoot here would be to use the packet captures tool in dashboard, found under Network-wide > Packet capture.

Taking a capture on the Internet and Site-to-Site interfaces of the VMX should show traffic from the S2S VPN clients into Azure or vice versa, and depending on which traffic you see you can troubleshoot accordingly.

If you need assistance with the investigation, I would recommend opening a support case with Meraki support, if you haven't already.

Details on how to raise a case through dashboard or to call the support line can be found within the 'Get help & cases' page which is accessible in the ? icon menu in dashboard.

 

Regards, Mark_S

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.