Secure Connect default route and VPN exclusion

Solved
Mitchell68
Comes here often

Secure Connect default route and VPN exclusion

Hello All,

 

I hope you are all well.

 

I have been continuing testing the Cisco Secure connect sites and the default route scenario. I had a few issues when enabling the default route with Meraki switches not communicating out to the Meraki cloud and Meraki APs showing as the wrong country...but the good people of Meraki support have resolved these problems and pointed me to the VPN exclusion...which worked.

 

However, I am still scratching my head as to why our Arctic Wolf sensors have now gone offline. I have added all the exclusions from Arctic Wolf whitepapers also to the VPN exclusion list and have also created a firewall rule and DNS policy to allow the AW sensors outbound traffic. Speaking with Arctic Wolf support they have said that I need to allow inbound traffic to the sensors.....this is strange as before with just the MX's the only exclusion was added to the Meraki outbound rule.

 

Any thoughts would be much appreciated.

1 Accepted Solution
SahandC
Meraki Employee
Meraki Employee

Within the scope of VPN exclusion rules, DNS only matches against queries sent over UDP 53 - https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...

 

The Arctic Wolf whitepaper only seems to state TCP 443 so I'm guessing/assuming they're doing DNS over HTTPS (DoH).

 

Try changing the individual rules so the protocol is TCP, and port number is 443.

View solution in original post

5 Replies 5
SahandC
Meraki Employee
Meraki Employee

Hi Mitchell68,

 

Have you taken pcaps on LAN & Internet interfaces simultaneously to verify traffic is definitely breaking out of the VPN tunnel?

 

Can you share a screenshot with the portion of the configuration for the VPN exclusion rules, as well as the whitepaper you referenced?

 

Inbound traffic to the sensors is interesting, I'm wondering if they're considering if the Meraki MX appliance is a stateless firewall(?) (it's stateful).

Mitchell68
Comes here often

Hello Schalabi,

I hope you are well. 

I haven't taken any pcaps on the LAN interfaces as yet - it seems strange that when there is no auto VPN tunnel the sensors are able to communicate fine and we didn't have to create any inbound routes as the Artic Wolf engineer is asking.

Mitchell68_4-1730109741438.png

Above are the exclusions from Artic Wolf - they generally like the DNS to be added rather than the ip range as these can change.

 

Mitchell68_5-1730109792069.png

 

 

SahandC
Meraki Employee
Meraki Employee

Within the scope of VPN exclusion rules, DNS only matches against queries sent over UDP 53 - https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...

 

The Arctic Wolf whitepaper only seems to state TCP 443 so I'm guessing/assuming they're doing DNS over HTTPS (DoH).

 

Try changing the individual rules so the protocol is TCP, and port number is 443.

Mitchell68
Comes here often

Of course....what a silly Billy.......added the ip addresses with TCP protocol and now Sensor is showing as healthy.

 

I see you have made more Secure Connect Vids on YouTube......lets have some more please 🙂

 

Thanks for your help Sahand.

SahandC
Meraki Employee
Meraki Employee

My pleasure, and hopefully soon!

Get notified when there are additional replies to this discussion.