Cellular and VPN in MX

SOLVED
NickCalcutti
Getting noticed

Cellular and VPN in MX

I have the New Z3C and i have an ATT SIM installed inside of it and i am getting nat type unfriendly, now i tried with the MX64 and also Z3 without SIM, using approved USB cellular options and i had the same issue.

 

Anyone else ran into this issue give a little guidance? 

Right now i am using third party peer to my main firewall. But if i had AutoVPN working without doing that life would be much easier 

 

Thanks Community 

1 ACCEPTED SOLUTION

@MerakiDave@PhilipDAth

Well i got my Z3C to work

 

Once i got a static IP address from ATT and they sent me their APN info for it the Z3C came right up and i have it in the field right now working like a charm

View solution in original post

9 REPLIES 9
PhilipDAth
Kind of a big deal
Kind of a big deal

I'm going to guess it is related to the APN you are using with AT&T.  I'm not from your part of the world, so I'm not familiar with the APNs offered by AT&T.

 

Ideally you want an APN that gives you a public IP address and is not firewalled.  Second choice would be an APN with a public IP address.

yeah, working with the ISP can be a process. was wondering if anyone had easier luck with it 

Also just some general notes, that I believe internal cellular is disabled by default, need to click on the "Uplink" tab and enable it in the cellular section.  Once it's enabled in Dashboard and physically installed, reboot the MX.  Also make sure you're running 14.33.  Allow a minute or so after each change, I've heard from colleagues the cellular-related things take several seconds so resist the urge to change multiple things in the same minute or two.   And if it picks up the carrier type/info automatically, you may not even need to configure an APN.  Double check with Support (I don't have a "C" model in my lab yet) to check if you can just remove the APN and reboot.

i am running 14.33 on the new Z3C, also i have the Cellular Enabled. also it saw the Sim model and the carrier of AT&T and i dont have the APN in the dashboard. i got the Site to Site working with a 3rd party firewall but AutoVPN doesnt work. 

Great, thanks for the updates.  So just to confirm, AutoVPN S2S tunnels won't come up if it's 3rd party VPN, only when it's MX to MX.  Sorry if I'm stating the obvious there, just wanted to clarify if you maybe had a combo of S2S tunnels, some configured via 3rd party and some configured with AutoVPN to other MXs, and maybe the AutoVPN tunnels were not coming up? 

 

You also mentioned a 3rd party FW in the path, so if it's MX to MX and your AutoVPN isn't coming up, make sure the 3rd party FW is allowing UDP/9350 for VPN Registry communications, as well as outbound higher-numbered UDP ports for the UDP hole punching for tunnel establishment.  If it's the auto-NAT traversal that's not working, more info here https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_bet...

 

I have other MXs connected to my main hub but the Z3C will not do it over cellular but I can get the Z3C to work with a third party firewall and do ipsec site to site . 

Got it, thanks for the clarification, I'd get a support ticket open so they can confirm if there might be any new or known issues regarding the AutoVPN operations over cellular on the Z3C model and that firmware rev.  I don't have one to test with yet, and support should also be able to get some deeper visibility into what is happening, like the cellular log file.

I already have and they pointed to att. They want me to ask for a port forward or and no foreeall enabled public IP address with the port forward. Because of the nat type unfriendly error. I had the same thing happen with USB cellular devices on the other Z3 and figured it was the cellular devices and when I got the Z3C I figured that would resolve it and I and finding out that was wrong 

@MerakiDave@PhilipDAth

Well i got my Z3C to work

 

Once i got a static IP address from ATT and they sent me their APN info for it the Z3C came right up and i have it in the field right now working like a charm

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels