Meraki

Community

Auto VPN - why is the street one-way?

AlexGregoire
Here to help
‎Apr 21 2022 1:38 PM
‎Apr 21 2022 1:38 PM

Auto VPN - why is the street one-way?

So I've got 50-some spoke networks, all going back to the hub network, split-tunnelling traffic for main campus & internet traffic. Everything works great from spoke to hub. But something is wrong when trying to contact devices on spoke networks from the hub (main) network - example: printer in the middle of Idaho can email the mailserver in Montana at the headquarters with a scan-to-email message, and then the spoke destination workstation gets the email.

But I can't manage the printer remotely via IP & web interface from the Montana headquarters! Pings and traces all stop at the campus LAN MX device IP. 

VPN status page says both ends of the network are exported. VPN Configuration page says all local networks are enabled for VPN mode. I've checked & proofread the subnetting on both sides of the tunnel. I'm barely running any layer 3 firewall rules.

Help me from my own stupid, please. I'm sure I've just missed a step.

 

Labels:
0 Kudos
4 Replies 4
cmr
Kind of a big deal
Kind of a big deal
‎Apr 21 2022 1:43 PM
‎Apr 21 2022 1:43 PM

Is the default gateway of your PC the VPN concentrator, or something else?  If something else does that have a route saying that the spoke network you are trying to ping is available through the concentrator?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
AlexGregoire
Here to help
‎Apr 21 2022 1:49 PM
‎Apr 21 2022 1:49 PM

Oh, no, campus pc has a wholly different gateway than concentrator. As I'm the WAN engineer, that's the campus LAN guys' responsibility - and in the past it did work. The new VPN WAN does not. And all the IPs changed with the new system...So I need to have the LAN guys modify static rules on campus.

 

ETA - No, wait, that's fine - I can see that packet go from me, to building router, to (my) VPN hub - and then it drops out. Its got to be a rule I've missed. 

If it was the internal LAN here, it'd drop when it hits the building router. 

0 Kudos
In response to AlexGregoire
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 21 2022 2:21 PM
‎Apr 21 2022 2:21 PM

I bet the spoke subnet has not been included in AutoVPN.

 

Check this on the spoke.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 21 2022 2:23 PM
‎Apr 21 2022 2:23 PM

If you look in:

Security & SW-WAN/Route Table, do you see a route to the spoke network?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.