Client VPN cannot ping site-to-site

SOLVED
YellowKLR
Here to help

Client VPN cannot ping site-to-site

Hello, 

 

When I am connected to the client VPN on our MX90, I am not able to access resources on our remote sites that are connected via site-to-site VPNs. 

Here's the background...

Our Dashboard had all the switches installed across 23 remote sites in one network, and all the APs in another network. 
I reorganized the Dashboard, creating combined networks for our remote sites. 

Before the reorganization, I could access resources on all of our remote sites when connected to the client vpn - but no longer. 

The client VPN runs on the MX90 at our main site, I can access all resources on that site's subnets, but I cannot ping anything on the remote subnets.

The firewalls can ping each other. 
I confirmed that the client VPN on the MX90 is included in the VPN. 
On the remote MXs, I looked at the remote VPN participants and confirmed that the client VPN subnet was listed as a participant. 
The site to site VPN was not changed, it is set up with the MX90 as the hub, and all other sites as spokes. 

Does anyone have suggestions as to what I can check?

1 ACCEPTED SOLUTION
cmr
Kind of a big deal
Kind of a big deal

It could be routing or firewalling.

 

For routing can you try a trace route to a remote site and the same from a site to a client VPN address.

 

For firewalling remember the site to site VPN uses a different set of rules to normal firewalling so make sure you are checking the correct list.

View solution in original post

3 REPLIES 3
cmr
Kind of a big deal
Kind of a big deal

It could be routing or firewalling.

 

For routing can you try a trace route to a remote site and the same from a site to a client VPN address.

 

For firewalling remember the site to site VPN uses a different set of rules to normal firewalling so make sure you are checking the correct list.

Yes, I was checking the site-to-site outbound firewall. 

I did the trace route from the client VPN to a remote site - it did not go to the MX90. 
I recreated my W10 VPN connection in case there was an error, still can't get to the remote site. 

We have the VPN connection set up for split tunnel, so I changed the setting to have the VPN connection use the default gateway on the remote network - and I was able to access resources on the remote site. 

 

Our system changes have not been well-documented, so I'm guessing that IT laptops were initially set up with a full tunnel VPN connection so we could manage all of our remote sites when off campus, even though the official documentation states to use a split tunnel. 


Thanks for the assistance and nudge in the right direction. 

cmr
Kind of a big deal
Kind of a big deal

No worries, glad it was a simple fix 😎

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels