Meraki

Community

Client VPN + Static Routes

Solved
mmeck
Here to help
‎Apr 8 2019 5:26 PM
‎Apr 8 2019 5:26 PM

Client VPN + Static Routes

Hi,
 
We're having issues getting Client VPN traffic to route over our AWS Direct Connect connection.
 
Our MX100 has static routes configured that point to our AWS subnets, to push traffic over a router that has been specifically configured for the direct connect.
 
  • "Use VPN" has been enabled for the AWS subnets in Site-to-site VPN.
  • AWS Security Groups allow access to for the VPN subnet.
 
Packet trace looks as though it is working:
 
--- Start Of Stream ---
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on client_vpn, link-type RAW (Raw IP), capture size 262144 bytes
23:55:31.124913 IP 192.168.13.4 > 10.60.14.12: ICMP echo request, id 1, seq 63, length 40
23:55:36.125236 IP 192.168.13.4 > 10.60.14.12: ICMP echo request, id 1, seq 64, length 40
23:55:41.125291 IP 192.168.13.4 > 10.60.14.12: ICMP echo request, id 1, seq 65, length 40
23:55:46.135298 IP 192.168.13.4 > 10.60.14.12: ICMP echo request, id 1, seq 66, length 40
--- End Of Stream ---
 
Although having issues accessing the resource from the workstation:
 
Pinging 10.60.14.12 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Anyone have any ideas?
 
Thanks.
Kind Regards,
mmeck
0 Kudos
1 Accepted Solution
In response to mmeck
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 8 2019 10:04 PM
‎Apr 8 2019 10:04 PM

Well done.

 

>Is the router advertising the client VPN subnet into AWS?

 

I should have been more explicit.  It meant the BGP peering here.

View solution in original post

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 8 2019 8:48 PM
‎Apr 8 2019 8:48 PM

The MX100 is on premise.

 

Does the Direct Connect router (on premise) have a route for the client VPN subnet pointing to the MX?

Is the router advertising the client VPN subnet into AWS?

 

When you are connected via Client VPN can you ping the LAN interface of the local Direct Connect router?

In response to PhilipDAth
mmeck
Here to help
‎Apr 8 2019 9:37 PM
‎Apr 8 2019 9:37 PM

The MX100 is on premise - Yes it is.

 

Does the Direct Connect router (on premise) have a route for the client VPN subnet pointing to the MX?

Not initially, although added a route to the direct connect router to point the Client VPN range to the MX

 

Is the router advertising the client VPN subnet into AWS? No, a route wasn't propagated, although added one manually to point to the direct connect virtual gateway.

 

When you are connected via Client VPN can you ping the LAN interface of the local Direct Connect router? I couldn't initially - but after adding the route to point to the MX I can now.

0 Kudos
In response to mmeck
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 8 2019 9:42 PM
‎Apr 8 2019 9:42 PM

So is it working now?

0 Kudos
In response to PhilipDAth
mmeck
Here to help
‎Apr 8 2019 10:02 PM
‎Apr 8 2019 10:02 PM

Thanks @PhilipDAth. Got it sorted.

 

I had to add it to the BGP table.

In response to mmeck
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 8 2019 10:04 PM
‎Apr 8 2019 10:04 PM

Well done.

 

>Is the router advertising the client VPN subnet into AWS?

 

I should have been more explicit.  It meant the BGP peering here.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.