Meraki

Community

vMX vpn concentrator/hub mode - Anyconnect client internet connectivity

Shaun1387
Getting noticed
‎Jun 29 2023 3:22 AM
‎Jun 29 2023 3:22 AM

vMX vpn concentrator/hub mode - Anyconnect client internet connectivity

Hi All,

 

I think im missing something fundamental here but i cant see where.

 

I have a vMX in Azure which is configured in VPN concentrator hub mode with 2 auto-vpn spoke sites connected. All good there. The two spoke sites are also connected to umbrella SIG.

 

The vMX is talking BGP to an azure route server to provide connectivity to back end servers in a handful of azure vnets. This is also working fine for auto-vpn clients at the spokes.

 

I have now configured the vMX Hub for anyconnect client connectivity which is working fine for access to auto-vpn prefixes (so internal stuff including the servers in azure), but the anyconnect clients cant get any traffic out to the internet via the vMX. I have configured the vMX to push out the SIG DNS servers (and tried it with googles DNS servers also) but it just seems that any internet bound traffic from the clients arrives at the vMX, but doesnt know where to go from there. 

 

I cant see any default routing in the vMX route table either so that may well be the issue but i cant see any way of getting a def route in the route table at all so im at a bit of a loss as to how this is supposed to work. 

 

Can anyone put me right here ? I cant see where to go next.

 

Cheers

Shaun

 

 

 

 

0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 29 2023 4:36 AM
‎Jun 29 2023 4:36 AM

Take a look at this session.

 

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance#Client_Routing

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Shaun1387
Getting noticed
‎Jun 29 2023 5:10 AM
‎Jun 29 2023 5:10 AM

Many thanks Alemabrahao,

 

Is the only way of making this work to enable client split tunnelling ?

 

This leads me to another question actually. Should i be able to get an auto-vpn tunnel up between the vMX i have configured as concentrator/hub, and the umbrella SIG hubs ? I have never been able to get those connectors up unless the MX is a spoke.

 

I was thinking that if i could get that working then the SIG hubs should inject a default route in via iBGP and allow the clients to use SIG for DNS and webProxy which would work for this use case.

 

if not then, how do we address situations where a vMX is used as a hub as i have described and we need client (including anyconnect client) web to go through the vMX to take advantage of traffic shaping or policy rules defined there or even to make use of the SIG web proxy etc ?

 

Thanks again for any insights

 

Cheers

Shaun

 

 

 

 

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 29 2023 1:16 PM
‎Jun 29 2023 1:16 PM

Azure (and AWS) does not allow external subnets to be NATed to be able to access the Internet.  It is expected behaviour to not be able to access the Internet via a full tunnel connection to a VMX.

 

Have you considered using the SASE approach instead and Cisco+ Secure Connect?  It sounds like you might have the components already to do this.
https://documentation.meraki.com/CiscoPlusSecureConnect 

0 Kudos
Shaun1387
Getting noticed
‎Jul 3 2023 1:29 AM
‎Jul 3 2023 1:29 AM

Hi Philip, 

 

Thanks for that info , its cleared up that  point. I have been trying to understand why i couldn't get that flying for a while now.

 

Yeah, i had thought initially if i could get the MX Hub to talk to umbrella SIG then that should do it and I have umbrella connectors on my spoke sites which work fine, but i cant seem to get the SASE tunnels up between the HUB and umbrella, should that work ?

 

Not wanting to derail this topic but I was also looking at scenarios where hosts within azure need to get to the internet but via the HUB MX so policy can be applied, not directly out via Azure. Im fairly new to Azure so i may be missing something fundamental here but i cant get that to work either, im wondering if I need to be looking at something like a def route in azure pointing to the MX.... ? im not even sure if it can be done. ?

 

Thanks again for the pointers everyone. Very much appreciated.

 

Shaun

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.