Auto VPN - why is the street one-way?

AlexGregoire
Here to help

Auto VPN - why is the street one-way?

So I've got 50-some spoke networks, all going back to the hub network, split-tunnelling traffic for main campus & internet traffic. Everything works great from spoke to hub. But something is wrong when trying to contact devices on spoke networks from the hub (main) network - example: printer in the middle of Idaho can email the mailserver in Montana at the headquarters with a scan-to-email message, and then the spoke destination workstation gets the email.

But I can't manage the printer remotely via IP & web interface from the Montana headquarters! Pings and traces all stop at the campus LAN MX device IP. 

VPN status page says both ends of the network are exported. VPN Configuration page says all local networks are enabled for VPN mode. I've checked & proofread the subnetting on both sides of the tunnel. I'm barely running any layer 3 firewall rules.

Help me from my own stupid, please. I'm sure I've just missed a step.

 

4 REPLIES 4
cmr
Kind of a big deal
Kind of a big deal

Is the default gateway of your PC the VPN concentrator, or something else?  If something else does that have a route saying that the spoke network you are trying to ping is available through the concentrator?

Oh, no, campus pc has a wholly different gateway than concentrator. As I'm the WAN engineer, that's the campus LAN guys' responsibility - and in the past it did work. The new VPN WAN does not. And all the IPs changed with the new system...So I need to have the LAN guys modify static rules on campus.

 

ETA - No, wait, that's fine - I can see that packet go from me, to building router, to (my) VPN hub - and then it drops out. Its got to be a rule I've missed. 

If it was the internal LAN here, it'd drop when it hits the building router. 

I bet the spoke subnet has not been included in AutoVPN.

 

Check this on the spoke.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you look in:

Security & SW-WAN/Route Table, do you see a route to the spoke network?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels