VMX with client VPN or AnyConnect

PhilipDAth
Kind of a big deal
Kind of a big deal

VMX with client VPN or AnyConnect

The documentation for deploying a VMX into Azure needs to be updated:

https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure 

 

The text around this needs to be change:
"Zone: Select the appropriate Availability Zone (AZ) for the region selected above "

 

In all cases, you want an AZ Zone of "None" selected.

If you choose an AZ zone the "Standard IP SKU" will be used, which blocks all inbound traffic.  This prevents client VPN and AnyConnect from working.  It can not be fixed without deleting the whole VMX and redeploying.

 

If you choose an AZ zone of "None" the "Basic IP SKU" will be selected, which allows inbound traffic, and now client VPN and AnyConnect can work.

 

 

Also, from a security perspective, the local status page is accessible to anyone on the global Internet.  The documentation should recommend that users turn the local status page off.

 

Under troubleshooting, you can get a lot of info by enabling the local status page, and browsing to the public IP address of the VMX.  It'll tell you if it can talk to the Meraki cloud, if it is having DNS issues, if it is upgrading, etc.  But always turn the local status page back off when finished.

1 Reply 1
rhbirkelund
Kind of a big deal
Kind of a big deal

When I spent a lot of time with this, in a support call with both Meraki Support and Azure support, they were shooting back and forth about whose responsibility it was. But it concluded that it was Meraki who needs to update the managed app in Azure, as it was an issue with that. Last I saw the case was still open per. Nov'21, and had been open since 2019, with no resolution.

 

So why I agree with you @PhilipDAth that the Documentation needs to be updated, Meraki Engineering themselves need to look into the Managed App as well...

 

In my experience, there's also a certain order that needs to be followed when deploying the different ressources in the ressource group. And the Meraki vMX Managed App is alway the last step, since it "locks" the ressource group for further changes. At least that was my experience.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.