Client VPN cannot see resources at distant end of non-meraki site to site VPN

Here to help

Client VPN cannot see resources at distant end of non-meraki site to site VPN

Hi Community I hope someone can help.


I have a non meraki peer site to site VPN into AWS. The AWS end is not a standard customer gateway so the AWS template was not applicable.


The VPN is up and running with no issues when accessed from within the main subnet

The distant end subnet is


However if I try to access the resources at from my home via the Client VPN (Windows 10 inherent Client VPN) I cannot see any of them. The client VPN subnet is


Initially I could not see anything in the main subnet either except singularly the meraki firewall on

The help documentation states that all of the main subnet should be accessible from the client vpn subnet. The only way I gained access to the whole main subnet via the client vpn was by adding an outgoing firewall rule enabling source to destination I suspect this is masking an incorrect setting but would welcome suggestions.


I read previous community dialogue that revolved around checking that the client VPN subnet and main subnet were both enabled for VPN. They always have been in my case so that is not the issue.


Packet Captures have helped a bit but also are misleading. For example if I am in the office running constant ping to they receive successful echo returns. When I tracert this path from  it shows >>> >>>>>>>

When I run packet captures I see the ICMP traffic in both directions at LAN but nothing on site to site VPN. I know it must be passing through the VPN however as the pings are successful. (I have raised that question on a separate article)


If I run contant ping from home via the client VPN I see echo requests at Client VPN originating from (my allocated IP address on the client vpn subnet, but no corresponding echo returns which is not surprising as the pings are failing. When I look for packet captures on the site to site vpn no traffic is visible. Here is a strange thing, the meraki support engineer tells me that when he accessed the network over a client VPN that I set up for him, he could see the ping requests from on the site to site vpn but no echo returns. His conclusion is that something is amiss at the distant end and I don't doubt this. However I cannot understand how I never see packet captures on site to site VPN interface either when pings are originating from the main subnet or client VPN


Incidentally I have not generated any additional VLANs


Still waiting on further messages from Meraki Support but any advice would be greatly appreciated.

I am still suspecting that a fundamental setting is wrong, based on having to set a firewall rule to allow the client VPN subnet access to the main subnet. 

1 Reply 1
Kind of a big deal
Kind of a big deal

Make sure is included in your VPN range on your end.  Make sure the remote end also has this range in your VPN encryption domain.  Make sure AWS has in its route table pointing to the VPN appliance.  Make sure the AWS security group is allowing this range.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.