Auto VPN only works one way.

rellek
Comes here often

Auto VPN only works one way.

Hello community!

 

I have been struggling with a situation getting AutoVPN to work properly after several attempts with help from Meraki Support who doesn't seem to have the solution.

 

 

We have an MX67, and MC67C. The MC67C is at a remote warehouse location (branch). The only option available for internet out there is AT&T 4G, which is I why I went with the cellular model. As least that part I got right 🙂

 

 

After setting up AutoVPN, I still can not figure out why there is no upstream data. I will try and explain the setup and steps taken:

 

 

HUB subnet is 172.16.0.0/24 (VLAN5)

Corporate network, everything works as expected.

I can ping any device at the branch location

 

 

BRANCH subnet is 172.16.100.0/24 (VLAN100)

4GLTE is configured with custom APN. This was set up to alleviate the restricted NAT type.

Internet and internal connectivity works as expected

PC's are unable to reach anything over the VPN so they can not log into the domain

 

 

If I send a ping from the branch to the hub and capture the packets, it looks to me like the ping is reaching the target, being sent back, but NOT being received?

69 4.942286 172.16.100.14 172.16.0.204 ICMP 60 Echo (ping) request id=0x0001, seq=9/2304, ttl=127 (no response found!)

 

I've checked firewall rules, added extra rules to allow traffic, dug though setup documents, contacted support, added static routes, source based static routes... nothing seems to help.

 

Does anyone have an idea of what I might have missed? Where else I could check?

 

10 REPLIES 10
CptnCrnch
Kind of a big deal
Kind of a big deal

Educated guess: ESP is blocked on one end of that connection.

rellek
Comes here often

Thanks for the reply. I don't see any mention of ESP in the dashboard anywhere. How could I check that?

ww
Kind of a big deal
Kind of a big deal

You captured the lan interface of the hub? How do you know it reached  the target?

I dont see the icmp response..

, so who is the 172.16.0.204? And does that host allow incoming icmp in the host firewall?

rellek
Comes here often

172.16.0.204 is the domain controller. It allows icmp and will reply.

I have captures of the VPN traffic, yes.

ww
Kind of a big deal
Kind of a big deal

Can you ping from branch to the Hub vlan 5 mx interface(svi)?

 

Make the icmp capture on the lan of the hub. And on the DC.  

 

You dont see a response so its more likely a problem in the lan at the hub side

rellek
Comes here often

I can ping the HUB MX gateway IP at 172.16.0.230.

 

If I do a tracert, that's as far as it gets.

ww
Kind of a big deal
Kind of a big deal

So you have a problem in your hub lan segment.

172.16.0.204 has the .230 as gateway?

rellek
Comes here often

I sure do. How the heck do I fix it! lol

 

So, the IP for the MX is 172.16.0.230, but the gateway is 172.16.0.1. 

 

I tried to make a static route but it didn't help.

 

ww
Kind of a big deal
Kind of a big deal

So the 172.16.0.1 is another router? Why is it the gateway for the dc and not the .230?  Cant you change that?

 

You could make static route on the .1 so it knows 172.16.100.0/24 is behind 172.16.0.230,

so for example: 172.16.100.0 0.0.0.255 172.16.0.230

rellek
Comes here often

The 172.16.0.1 is a Sophos firewall that we are required to have by a customer.

 

I made a static route in the HUB MX but it just made the downstream stop working too.

Screenshot 2022-08-17 072515.png

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels