AWS vMX has lost all site-to-site VPN link

Solved
Pugmiester
Building a reputation

AWS vMX has lost all site-to-site VPN link

Hi all,

 

We've had a vMX up and running in AWS since the middle of April but somewhere around the early hours of June 6th it dropped all of the SD-WAN links. It's not in PROD yet so we didn't pickup a monitoring alert.

 

Anyway, we still have dashboard access and neither a vMX or AWS Instance restart has not shaken it back into life but something hit me while I'm trying to figure out what's going on. The AWS Security Group is built from the dashboard recommended firewall rules for the site as recommended in the AWS vMX setup guide, including all the usual suspects for dashboard access, you know all the funky UDP ports and the like, but that gives you no ports I would have thought needed for IPSec (4500, 500, etc).

 

I kinda assumed the dashboard did uber magic and the fact it was working made me suspect that was the case but maybe the initial setup had less rules on SG and the connections were up before it closed off the doors.

 

I know this is something that should make sense but I'm way down on my coffee supply this morning. Should we have more outbound/inbound rules in place the IPSec links that the SD-WAN needs to operate?

1 Accepted Solution
Pugmiester
Building a reputation

I thought I would add one final update for anyone stumbling across this post in the future. There's a Meraki support document for the SD-WAN that clearly lists the ports needed for connections to both the dashboard and Auto-VPN peers. Somehow, all of my Googling never brought me to this page so I'm including the details plus the link below for future reference.

Ports used to contact the VPN registry:

  • Source UDP port range 32768-61000
  • Destination UDP port 9350 

 

Ports used for IPsec tunneling:

  • Source UDP port range 32768-61000
  • Destination UDP port range 32768-61000


https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN

View solution in original post

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't usually any any inbound rules (or rather I allow "all") for the VMX.  It is a firewall after all, even if it is only in VPN concentrator mode.

 

Otherwise I think you'll need to specify a manual port to use and create a rule allowing that traffic.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#NAT_Traversal 

Pugmiester
Building a reputation

Hi @PhilipDAth, thanks for the sanity check. I'm still confused how it's ever worked without the allowed inbound traffic but I'm working on a change plan for the AWS guys to open up the inbound firewall rules.
Pugmiester
Building a reputation

I thought I would add one final update for anyone stumbling across this post in the future. There's a Meraki support document for the SD-WAN that clearly lists the ports needed for connections to both the dashboard and Auto-VPN peers. Somehow, all of my Googling never brought me to this page so I'm including the details plus the link below for future reference.

Ports used to contact the VPN registry:

  • Source UDP port range 32768-61000
  • Destination UDP port 9350 

 

Ports used for IPsec tunneling:

  • Source UDP port range 32768-61000
  • Destination UDP port range 32768-61000


https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN

Get notified when there are additional replies to this discussion.