Azure resources not able to reach resources behind meraki MX

SOLVED
nikmagashi
Getting noticed

Azure resources not able to reach resources behind meraki MX

Hi,

 

We have some resources on azure, and users are having problem to reach the resources on the other sites via meraki mx. 

 

for better understanding we have these sites:

 

- Site A (meraki MX)

- SIte B (AZURE)

- Site C (meraki MX)

 

We have an IPSec tunnel between Azure - Site B and Site A (meraki MX). And then we have Site C which is connected with Site A.

 

Lets say Site A where the meraki MX is, the resources behind this router are reachable from site B (Azure), but the resources on the other site (site C) are not reachable from the site B (Azure). I suppose that when it comes to rules, I am good there, because I create site to site rules and opened from the interested sites. And when it comes to routing I also assume that there automatically created. 

 

I just don´t get where is the missing point here! I dont have any rules created in Security->Firewall. Rules are created under Site-to-site VPN, so why is it working for some resources but not for other resources.

 

Is there an issue with routing? But then again isn´t routing managed automatically between the sites! 

 

 

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

Yes, you are heading in the right direction. The Meraki MX only needs one configuration (which you’ve already done), because it applies to all MX devices, but Azure needs more. The connection to Site A is working, so you need to create another Local Network Gateway and VPN Connection (tunnel) in Azure for Site C - when you create the Local Network Gateway for Site C, this is where you add the Address Space (subnets) of site C so that Azure knows how to reach those subnets.

View solution in original post

9 REPLIES 9
Bruce
Kind of a big deal

I’m assuming that since you don’t mention a VMX you’re not using one at the Azure end.

if this is the case then then routes to Azure aren’t propagated to/from Site C - the AutoVPN propagates routes between MX appliances, but not from third party VPNs.

 

The solution is either to implement a VMX in Azure, or build a third party VPN from Site C to Azure as well as the one from Site A - I.e. have a VPN from both MX devices to Azure (which is the way Meraki intended it).

The IPSec is created under the Security -> Site-to-site VPN on the non-Meraki VPN peers. The tunnel is visible in every site on the meraki portal. For example if I go over to another site the ipsec tunnel is always there, like the site-to-site outbound firewall rules. 

 

On the Azure we have a VPN Client server which users connect to. Do I need to add the IP subnet which the users gets IP from on the Addressing & VLANs and to check the "In VPN" so that these users will be able to be routeable on the other sites aswell?

Bruce
Kind of a big deal

With non-Meraki VPN peers a VPN connection will be attempted from every MX in your organisation to that non-Meraki peer - you can use the availability tags to stop a connection being attempted from every MX. In your scenario, Site A and Site C need a VPN connection to Azure (Site B), so on the Azure side you have to create two Local Network Gateways, one for Site A and one for Site C, and likewise two VPN connections. There is a Meraki document here which may help, https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site_to_Site_VPN_tunnels_to_Azure_V...

At each MX Site you need to include the subnets that you want to be accessed over the VPN in the VPN. For Azure you need to make sure the Address Space configured in the Local Network Gateway matches the subnets included in the VPN for only that MX Site - for example the Local Network Gateway for Site A, should only include subnets that are included in the VPN that actually exist at Site A.

So If I have understood you correctly, the IPSec VPN (non-meraki VPN) created on the MX portal is ok, and it will work for all the other site and not only for site A, BUT I need more tunnels on Azure in order to reach every site behind MXs, f.ex. one tunnel on MX portal pointing on Azure, then on Azure two tunnels pointing on the public IP addresses of Site A and Site B MXs?

 

The VPN clients gets IPs from this range 192.168.20.0/24 and I have added this on the non-meraki IPSec VPN on MX portal under private subnet and it is working as I mentioned before to reach the resources attached behind the MX on site A (probably because the azure engineer has created the IPSec tunnel pointing only to the public IP address of the site A)! Does that mean that the tunnel in Azure is only pointing on the MX which is located on site A, and I should ask to create another tunnel on azure to point on the site C also?

 

You mentioned that I have to include the subnets at each MX site in the VPN? I don´t understand this, where I should include these? Which settings should I look for in order to includes these?

Bruce
Kind of a big deal

Yes, you are heading in the right direction. The Meraki MX only needs one configuration (which you’ve already done), because it applies to all MX devices, but Azure needs more. The connection to Site A is working, so you need to create another Local Network Gateway and VPN Connection (tunnel) in Azure for Site C - when you create the Local Network Gateway for Site C, this is where you add the Address Space (subnets) of site C so that Azure knows how to reach those subnets.

View solution in original post

All right, when I think again it sounds logical. Thank you very much Bruce and I wish you a very good sunday 🙂

Hi Bruce,

 

We have created the tunnels on Azure, all these are pointing to the local MXs public IP addresses, they have their own local network gateways (with subnets included) but these are still down on Azure. They use the same Azure VPN gateway (just for illustration ex. 1.1.1.1). The meraki site-to-site vpn tunnel points to that public IP (1.1.1.1). Tunnels in Azure use the same preshare key as the tunnel in meraki dashboard. Have we missed something? Does the tunnel in meraki dashboard applies parallell to all the other tunnels in Azure?

 

 

Bruce
Kind of a big deal

Yes, all the MX devices will build a tunnel to Azure. It sounds as if you have it set up correctly now. Are you seeing any errors or messages in the event log?

Hi Bruce,

 

I was able to pinpoint the problem. It was because I have activated IKEv2 via meraki support for the working one (tunnel) but the other site, the appliance was running the below 15.x version. IKEv2 was not supported for that firmware. After upgrade to the version 15.x it started to work. The vpn tunnel is upp and running now. Thank you again for taking your time to help me. Cheers 🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels