Hello community!
I have been struggling with a situation getting AutoVPN to work properly after several attempts with help from Meraki Support who doesn't seem to have the solution.
We have an MX67, and MC67C. The MC67C is at a remote warehouse location (branch). The only option available for internet out there is AT&T 4G, which is I why I went with the cellular model. As least that part I got right 🙂
After setting up AutoVPN, I still can not figure out why there is no upstream data. I will try and explain the setup and steps taken:
HUB subnet is 172.16.0.0/24 (VLAN5)
Corporate network, everything works as expected.
I can ping any device at the branch location
BRANCH subnet is 172.16.100.0/24 (VLAN100)
4GLTE is configured with custom APN. This was set up to alleviate the restricted NAT type.
Internet and internal connectivity works as expected
PC's are unable to reach anything over the VPN so they can not log into the domain
If I send a ping from the branch to the hub and capture the packets, it looks to me like the ping is reaching the target, being sent back, but NOT being received?
69 4.942286 172.16.100.14 172.16.0.204 ICMP 60 Echo (ping) request id=0x0001, seq=9/2304, ttl=127 (no response found!)
I've checked firewall rules, added extra rules to allow traffic, dug though setup documents, contacted support, added static routes, source based static routes... nothing seems to help.
Does anyone have an idea of what I might have missed? Where else I could check?
Educated guess: ESP is blocked on one end of that connection.
Thanks for the reply. I don't see any mention of ESP in the dashboard anywhere. How could I check that?
You captured the lan interface of the hub? How do you know it reached the target?
I dont see the icmp response..
, so who is the 172.16.0.204? And does that host allow incoming icmp in the host firewall?
172.16.0.204 is the domain controller. It allows icmp and will reply.
I have captures of the VPN traffic, yes.
Can you ping from branch to the Hub vlan 5 mx interface(svi)?
Make the icmp capture on the lan of the hub. And on the DC.
You dont see a response so its more likely a problem in the lan at the hub side
I can ping the HUB MX gateway IP at 172.16.0.230.
If I do a tracert, that's as far as it gets.
So you have a problem in your hub lan segment.
172.16.0.204 has the .230 as gateway?
I sure do. How the heck do I fix it! lol
So, the IP for the MX is 172.16.0.230, but the gateway is 172.16.0.1.
I tried to make a static route but it didn't help.
So the 172.16.0.1 is another router? Why is it the gateway for the dc and not the .230? Cant you change that?
You could make static route on the .1 so it knows 172.16.100.0/24 is behind 172.16.0.230,
so for example: 172.16.100.0 0.0.0.255 172.16.0.230
The 172.16.0.1 is a Sophos firewall that we are required to have by a customer.
I made a static route in the HUB MX but it just made the downstream stop working too.