I have an MX and vMX (in AWS) connected via site-to-site VPN. Local clients on the MX are able to access hosts connected to the vMX (EC2 instances, etc.) It works great.
The problem is Client VPN connections. When I VPN to the MX, I am not able to access anything in AWS. I can access things connected to the MX though.
The local client subnet is 10.180.1.0/24 and the Client VPN subnet is 10.181.1.0/24. I have Route Tables in AWS setup for both and are the same. The Security Groups are the same. The Network ACLs are the same. I don't know where else to check. Any ideas?
One weird thing is that I can VPN to the vMX in AWS, but I can't ping stuff locally. I can ping stuff on the MX 10.180.1.0/24. I'm guessing something in AWS is blocking or misconfigured for my Client VPN subnets. But I have things the same I think.... any suggestions would be appreciated.
@KevinH From the MX on-premises, are you advertising the client VPN subnet into VPN? This needs to be done under the "Security & SD-WAN > Site-to-site VPN configuration" page. You need to select yes for use vpn column for the client VPN subnet. Once you do that, you should be able to connect to the Amazon resources from client VPN as you are doing it from the local hosts at the MX site.
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
@KevinH Try doing a packet capture on the vMX WAN interface and see if the vMX is forwarding the packets on the WAN or not. If it is, there is something on the AWS VPC that is either blocking or has a return route missing. If it is not being seen, try running the packet capture on the vMX Site to Site interface and see if the packets are being received by the vMX on the VPN interface.