Meraki

Community

Auto VPN between MX/Z3 and AWS vMX100

Solved
JQ
Here to help
‎Jan 17 2019 6:36 AM
‎Jan 17 2019 6:36 AM

Auto VPN between MX/Z3 and AWS vMX100

Hi all,

Recently deployed 3 vMX100 on AWS and a few MX68 and Z3.  AutoVPN are NOT establishing connection to the vMX100 (all 3 PVCs) when the MX68 and Z3 are on broadband networks (test at 3 locations), Spectrum, Xfinity, and Version Fios.  AutoVPN does established connections between the MX68 and Z3.  If I connected the Z3 in the office network, all AutoVPN are established.  Is this an issue with AWS or Meraki?  Package capture doesn't shown the return traffic from AWS.  Have anyone experienced this issue and if have found the root cause.  Thank you.

0 Kudos
1 Accepted Solution
In response to JQ
JQ
Here to help
‎Feb 18 2019 11:21 AM
‎Feb 18 2019 11:21 AM

I rebuilt the vMX100 with an elastic IP, as AWS unfriendly NAT did not working out well without the elastic IP

View solution in original post

0 Kudos
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 17 2019 11:21 AM
‎Jan 17 2019 11:21 AM

I've never had any issues myself.

 

My best guess is you have an AWS security policy not allowing the traffic.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 17 2019 11:21 AM
‎Jan 17 2019 11:21 AM

Does the dashbard show that the vMX is online?

Does the dashboard show that the vMX is registered as a VPN end point?

0 Kudos
In response to PhilipDAth
JQ
Here to help
‎Jan 17 2019 12:11 PM
‎Jan 17 2019 12:11 PM

Thanks for the input.  Yes, the vMX are online, as others MX68 at satellite offices are established VPN and passing traffic.  Only if I take the Z3 home connected to my xfinity modem (and Verizon Fios and Spectrum broadband in Columbus) that the VPN NOT established to AWS vMX100.  But it does established to others MX68 sites.

0 Kudos
In response to JQ
NolanHerring
Kind of a big deal
‎Jan 17 2019 12:27 PM
‎Jan 17 2019 12:27 PM

Any logs showing specific errors for those Z3 not being able to talk to vMX?

Also, you don't by any chance have any firewall rules allowing those specific sites only (assuming they have static IPs on the MX68s, where as the Z3 are going to be dynamic IP) and blocking anything else etc.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
JQ
Here to help
‎Jan 17 2019 1:01 PM
‎Jan 17 2019 1:01 PM

On the Meraki side, there are no firewalls rules.  There are firewall rules on the broadband modems (I assume), but the Z3 are able to established VPN to other MX68.  So the broadband modems does allow UDP traffic for MX68 VPN connections.  

 

So the three locations experienced issue are using 192.168.0.0 and NATed on the modem.  The corporate networks are using 10.0.0.0.  Where on AWS vMX security policy that control the peer WAN uplink private IPs?

0 Kudos
In response to JQ
JQ
Here to help
‎Feb 18 2019 11:21 AM
‎Feb 18 2019 11:21 AM

I rebuilt the vMX100 with an elastic IP, as AWS unfriendly NAT did not working out well without the elastic IP

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.