Meraki

Community

Autovpn between Azure vMx and DC MX hub not coming up

Iddo
Comes here often
‎Jan 12 2024 5:12 AM
‎Jan 12 2024 5:12 AM

Autovpn between Azure vMx and DC MX hub not coming up

Hello community,

I deployed a vmx on Azure, all my spokes have established Auto vpn with the vMx hub on Azure,but my data center MX which is behind a Fortigate Firewall has not established auto vpn. I have not seen any logs that point to the problem.

 Can anyone assist explaining what the issue could be ?

0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
‎Jan 12 2024 5:14 AM
‎Jan 12 2024 5:14 AM

Fortigate is probably blocking communication, did you get the logs?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Iddo
Comes here often
‎Jan 12 2024 5:19 AM
‎Jan 12 2024 5:19 AM

Yes,

I have checked the fortigate FW logs but no blocked traffic from the DC MX

0 Kudos
In response to Iddo
alemabrahao
Kind of a big deal
‎Jan 12 2024 5:21 AM
‎Jan 12 2024 5:21 AM

In your place I would create a rule to make sure.

Any devices sitting upstream of an MX will need the following destinations whitelisted so the MX can communicate with the Auto VPN registries:

Port

UDP 9350-9381

IP range for non-China cloud (meraki.com):

209.206.48.0/20

158.115.128.0/19

216.157.128.0/20

IP range for China cloud (meraki.cn):

43.192.139.128/25
43.196.13.128/25

 

Ports used for IPsec tunneling:

Source UDP port range 32768-61000
Destination UDP port range 32768-61000

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Jan 12 2024 6:03 AM
‎Jan 12 2024 6:03 AM

I take it your DC MX is also a Hub?   I'd raise a case with Meraki Support - one of the first things they will likely check is whether the back end option to prevent Hubs forming tunnels / exchanging routes with other Hubs is enabled.   This is often done in environments with multiple DCs or active-active Hubs in the same DC, to prevent routing loops.

In the first instance, running some pcaps on the MXs at each end should reveal whether the MXs are sending out the appropriate packets to the remote destination - also what packets (if any) are being received at the far end.  You should be able to compare the dynamic ports for match and whether they're being received as expected (i.e. via any upstream NATs  PATs)

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.