Meraki

Community

Cannot send data to remote VPN (Site to site)

TimM1
New here
‎Apr 16 2018 6:01 AM
‎Apr 16 2018 6:01 AM

Cannot send data to remote VPN (Site to site)

Hi All,

 

Would appreciate some assistance as this is the first leap into site to site VPN.

 

We have an MX64, the remote site (customer) has an ASA Cisco VPN, these are added as non-meraki peers, in VPN status the green light is on for both VPN connections.

 

Now if I try to contact an IP in the VPN sub net, I cannot get a response.

If I tracert then it seems the request goes to the MX64 (as gateway) and dies there.
If I try to tracert to the remote VPN router then it seems to trace OK.

 

We have Windows AD / DHCP / DNS if that makes any difference...

 

0 Kudos
6 Replies 6
Adam
Kind of a big deal
‎Apr 16 2018 6:26 AM
‎Apr 16 2018 6:26 AM

Do you have the IP (subnets) of the remote networks you are trying to reach in the 'Private Subnets' section of your Non Meraki VPN Peers.  I believe you also need to make sure the subnet suffix matches on each side.  For troubleshooting support can also do a capture in the VPN tunnel so you can verify if your traffic is actually going over the tunnel to their side or truly dropping at the MX. 

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
In response to Adam
TimM1
New here
‎Apr 16 2018 6:34 AM
‎Apr 16 2018 6:34 AM

Hi,

 

Yes I have private subnets for each remote machine defined in the manager.
There are 2 - 3 on each VPN, defined as x.x.x.x/32 and comma separated.

 

I'll see what can be captured at the far end, the config was supplied to me so I would *hope* it is correct at that end!

0 Kudos
In response to TimM1
Dylan_YYC
Getting noticed
‎Apr 16 2018 7:33 AM
‎Apr 16 2018 7:33 AM

as a /32? that wont work, thats just to one host. you need to define the subnet so it knows where/what to route. 

0 Kudos
In response to Dylan_YYC
Adam
Kind of a big deal
‎Apr 16 2018 7:33 AM
‎Apr 16 2018 7:33 AM

It would work if they have a /32 configured on the far side.  But I'd agree that is less likely.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
0 Kudos
In response to Adam
Dylan_YYC
Getting noticed
‎Apr 16 2018 7:40 AM
‎Apr 16 2018 7:40 AM

yeah thats true, but i cant imagine a lot of places recommend doing it that tightly. 

In response to Dylan_YYC
TimM1
New here
‎Apr 16 2018 7:48 AM
‎Apr 16 2018 7:48 AM

Thanks for the replies.

 

Issue now solved.

 

Turned out to be routing on the other side, due to reasons of how the customer does this we basically were not getting responses from the target machine. But they have checked/amended the routing and now we get replies.

 

Turns out the Meraki VPN setup was fine all along 😉

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.