vMX tunnels no traffic traversing.

BaronCSE
Here to help

vMX tunnels no traffic traversing.

Having reoccurring issues with vMX tunnels. We have a vMX as a hub with on-prem ASA and Azure GW. 

 

Issue: vMX and ASA reporting tunnel is up but can't traverse traffic, this randomly occur. The work around is rebooting the vMX. I have another appliance which is MX85 connected to remote ASA  and Azure GW for testing, vMX and MX85 is in the same organization so they share the same parameters and creds with non-Meraki peer. I have never had issue with MX85 but the vMX constantly having issues maintaining the traffic.

 

Tshoot: I have done multiple custom parameters and now it's set to default but having the same issues. I have called Meraki support couple of times and they always do is pcap ICMP from vMX to spokes and stating vMX is sending the traffic and I do see it from remote end and I also see the remote end sending the traffic back but never gets to the vMX at all. 

We have redeployed the vMX four times now and no luck yet.

 

Anyone having the same issue? 

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

On the Azure side, make sure the VMX is deployed with a "Zone" of "None".  Check out this article I wrote about it:

https://community.meraki.com/t5/Documentation-Feedback-Beta/VMX-with-client-VPN-or-AnyConnect/m-p/14... 

You can check the SKU of the IP address to see if it was deployed with a zone of "None" or not.

 

If you didn't use a Zone of none, the inbound traffic to the VMX is not allowed, and the normal process of detecting when the VPN has an issue or needs rebuilding will fail.

BaronCSE
Here to help

Hi Phil,

 

Did you have NSG when you deployed a vMX with zone? Right now I have zone 1 and placed in an NSG on the subnet to allow traffic.

I have connectivity but having issue maintaining the traffic, it randomly drops packet every 1-2 weeks for non-Meraki VPN but from Auto VPN and anyconnect I never had an issue.

PhilipDAth
Kind of a big deal
Kind of a big deal

When the zone is set to "none" their is no NSG.

BaronCSE
Here to help

But did you have NSG when you deployed a vMX with zone?

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't remember clearly now - but yes, I think when deployed with a zone it used a NSG.

Get notified when there are additional replies to this discussion.