Meraki

rellek · ‎Aug 16 2022

Hello community!

I have been struggling with a situation getting AutoVPN to work properly after several attempts with help from Meraki Support who doesn't seem to have the solution.

We have an MX67, and MC67C. The MC67C is at a remote warehouse location (branch). The only option available for internet out there is AT&T 4G, which is I why I went with the cellular model. As least that part I got right 🙂

After setting up AutoVPN, I still can not figure out why there is no upstream data. I will try and explain the setup and steps taken:

HUB subnet is 172.16.0.0/24 (VLAN5)

Corporate network, everything works as expected.

I can ping any device at the branch location

BRANCH subnet is 172.16.100.0/24 (VLAN100)

4GLTE is configured with custom APN. This was set up to alleviate the restricted NAT type.

Internet and internal connectivity works as expected

PC's are unable to reach anything over the VPN so they can not log into the domain

If I send a ping from the branch to the hub and capture the packets, it looks to me like the ping is reaching the target, being sent back, but NOT being received?

69 4.942286 172.16.100.14 172.16.0.204 ICMP 60 Echo (ping) request id=0x0001, seq=9/2304, ttl=127 (no response found!)

I've checked firewall rules, added extra rules to allow traffic, dug though setup documents, contacted support, added static routes, source based static routes... nothing seems to help.

Does anyone have an idea of what I might have missed? Where else I could check?

CptnCrnch · ‎Aug 16 2022

Educated guess: ESP is blocked on one end of that connection.

rellek · ‎Aug 16 2022

Thanks for the reply. I don't see any mention of ESP in the dashboard anywhere. How could I check that?

ww · ‎Aug 16 2022

You captured the lan interface of the hub? How do you know it reached the target?

I dont see the icmp response..

, so who is the 172.16.0.204? And does that host allow incoming icmp in the host firewall?

rellek · ‎Aug 16 2022

172.16.0.204 is the domain controller. It allows icmp and will reply.

I have captures of the VPN traffic, yes.

ww · ‎Aug 16 2022

Can you ping from branch to the Hub vlan 5 mx interface(svi)?

Make the icmp capture on the lan of the hub. And on the DC.

You dont see a response so its more likely a problem in the lan at the hub side

rellek · ‎Aug 16 2022

I can ping the HUB MX gateway IP at 172.16.0.230.

If I do a tracert, that's as far as it gets.

ww · ‎Aug 16 2022

So you have a problem in your hub lan segment.

172.16.0.204 has the .230 as gateway?

rellek · ‎Aug 16 2022

I sure do. How the heck do I fix it! lol

So, the IP for the MX is 172.16.0.230, but the gateway is 172.16.0.1.

I tried to make a static route but it didn't help.

ww · ‎Aug 16 2022

So the 172.16.0.1 is another router? Why is it the gateway for the dc and not the .230? Cant you change that?

You could make static route on the .1 so it knows 172.16.100.0/24 is behind 172.16.0.230,

so for example: 172.16.100.0 0.0.0.255 172.16.0.230

rellek · ‎Aug 17 2022

The 172.16.0.1 is a Sophos firewall that we are required to have by a customer.

I made a static route in the HUB MX but it just made the downstream stop working too.

Meraki

Community

Auto VPN only works one way.

Auto VPN only works one way.