cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AWS vMX has lost all site-to-site VPN link

SOLVED
Go to solution
Pugmiester
Building a reputation
‎06-10-2020 02:11 AM
‎06-10-2020 02:11 AM

AWS vMX has lost all site-to-site VPN link

Hi all,

 

We've had a vMX up and running in AWS since the middle of April but somewhere around the early hours of June 6th it dropped all of the SD-WAN links. It's not in PROD yet so we didn't pickup a monitoring alert.

 

Anyway, we still have dashboard access and neither a vMX or AWS Instance restart has not shaken it back into life but something hit me while I'm trying to figure out what's going on. The AWS Security Group is built from the dashboard recommended firewall rules for the site as recommended in the AWS vMX setup guide, including all the usual suspects for dashboard access, you know all the funky UDP ports and the like, but that gives you no ports I would have thought needed for IPSec (4500, 500, etc).

 

I kinda assumed the dashboard did uber magic and the fact it was working made me suspect that was the case but maybe the initial setup had less rules on SG and the connections were up before it closed off the doors.

 

I know this is something that should make sense but I'm way down on my coffee supply this morning. Should we have more outbound/inbound rules in place the IPSec links that the SD-WAN needs to operate?

0 Kudos
Subscribe
1 ACCEPTED SOLUTION
In response to Pugmiester
Pugmiester
Building a reputation
‎06-16-2020 01:22 AM
‎06-16-2020 01:22 AM

I thought I would add one final update for anyone stumbling across this post in the future. There's a Meraki support document for the SD-WAN that clearly lists the ports needed for connections to both the dashboard and Auto-VPN peers. Somehow, all of my Googling never brought me to this page so I'm including the details plus the link below for future reference.

Ports used to contact the VPN registry:

  • Source UDP port range 32768-61000
  • Destination UDP port 9350 

 

Ports used for IPsec tunneling:

  • Source UDP port range 32768-61000
  • Destination UDP port range 32768-61000


https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN

View solution in original post

Subscribe
3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎06-10-2020 04:54 PM
‎06-10-2020 04:54 PM

I don't usually any any inbound rules (or rather I allow "all") for the VMX.  It is a firewall after all, even if it is only in VPN concentrator mode.

 

Otherwise I think you'll need to specify a manual port to use and create a rule allowing that traffic.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#NAT_Traversal 

Subscribe
In response to PhilipDAth
Pugmiester
Building a reputation
‎06-12-2020 03:28 AM
‎06-12-2020 03:28 AM

Hi @PhilipDAth, thanks for the sanity check. I'm still confused how it's ever worked without the allowed inbound traffic but I'm working on a change plan for the AWS guys to open up the inbound firewall rules.
0 Kudos
Subscribe
In response to Pugmiester
Pugmiester
Building a reputation
‎06-16-2020 01:22 AM
‎06-16-2020 01:22 AM

I thought I would add one final update for anyone stumbling across this post in the future. There's a Meraki support document for the SD-WAN that clearly lists the ports needed for connections to both the dashboard and Auto-VPN peers. Somehow, all of my Googling never brought me to this page so I'm including the details plus the link below for future reference.

Ports used to contact the VPN registry:

  • Source UDP port range 32768-61000
  • Destination UDP port 9350 

 

Ports used for IPsec tunneling:

  • Source UDP port range 32768-61000
  • Destination UDP port range 32768-61000


https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2022 Meraki