Client VPN and AWS

KevinH
Here to help

Client VPN and AWS

I have an MX and vMX (in AWS) connected via site-to-site VPN. Local clients on the MX are able to access hosts connected to the vMX (EC2 instances, etc.) It works great.

 

The problem is Client VPN connections. When I VPN to the MX, I am not able to access anything in AWS. I can access things connected to the MX though.

 

The local client subnet is 10.180.1.0/24 and the Client VPN subnet is 10.181.1.0/24. I have Route Tables in AWS setup for both and are the same. The Security Groups are the same. The Network ACLs are the same. I don't know where else to check. Any ideas?

 

One weird thing is that I can VPN to the vMX in AWS, but I can't ping stuff locally. I can ping stuff on the MX 10.180.1.0/24. I'm guessing something in AWS is blocking or misconfigured for my Client VPN subnets. But I have things the same I think.... any suggestions would be appreciated.

5 Replies 5
Raj66
Meraki Employee
Meraki Employee

@KevinH From the MX on-premises, are you advertising the client VPN subnet into VPN? This needs to be done under the "Security & SD-WAN > Site-to-site VPN configuration" page. You need to select yes for use vpn column for the client VPN subnet. Once you do that, you should be able to connect to the Amazon resources from client VPN as you are doing it from the local hosts at the MX site.

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
PhilipDAth
Kind of a big deal
Kind of a big deal

I agree with @Raj66 .  Also make sure their are no Amazon firewall rules (either security groups of VPC) that might be blocking the traffic.

 

1.PNG

Thanks. I do have Client VPN set Use VPN "yes".

No AWS firewall rules blocking and no SG groups blocking.

I have Routes setup. No idea where it's blocking.

Seshu
Meraki Employee
Meraki Employee

@KevinH Try doing a packet capture on the vMX WAN interface and see if the vMX is forwarding the packets on the WAN or not. If it is, there is something on the AWS VPC that is either blocking or has a return route missing. If it is not being seen, try running the packet capture on the vMX Site to Site interface and see if the packets are being received by the vMX on the VPN interface. 

 

 

Stealth_Network
Getting noticed

Hi,

 

You shouldn't need routes setup on the vMX, as you should see them advertised over the VPN from the MX.

 

If you take them off do you see them advertised?

 

As suggested packet captures will help troubleshoot

 

Good luck

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels