Meraki

Community

Client VPN from spoke cannot reach hub servers - no routes to hub networks

Solved
athan1234
A model citizen
Thursday
Thursday

Client VPN from spoke cannot reach hub servers - no routes to hub networks

Hello,


Client connects to spoke via Client VPN but cannot reach hub servers (192.168.98.0/24). Route to hub network doesn't appear in client's routing table.

 

Issue:

  • Hub has servers on 192.168.58.0/24
  • Users connect via Client VPN to center on  spoke 
  • Cannot reach hub servers - no route appears in client routing table
  •  

Question:Should the spoke MX automatically advertise hub networks (learned via AutoVPN) to Client VPN users?
Is this a missing configuration or an unsupported scenario?
Or is it necessary to set up the Client VPN on the hub if the customer wants users to connect from another spoke device for security or any other reason?

Environment: MX appliances, Windows clients

0 Kudos
1 Accepted Solution
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Default Behavior: Yes, Client VPN is full tunnel by default, all traffic (including internet-bound) is routed through the VPN.


Dashboard Control: Correct, Meraki Dashboard does not control split/full tunnel behavior for Client VPN.


Split Tunnel Configuration
To achieve split tunneling, you must manually uncheck “Use default gateway on remote network” in the Windows VPN adapter settings.
This causes internet traffic to go directly out the local interface, while traffic destined for internal networks (defined by the VPN subnet) still goes through the VPN.


Site-to-Site VPN
Controlled by Dashboard: Yes, the “Use VPN” and “Default Route”  settings in the Hub configuration control split vs. full tunnel.


Checkbox Behavior:
Checked = Full Tunnel: All traffic from the spoke is routed to the hub.
Unchecked = Split Tunnel: Only traffic destined for specific subnets (advertised by the hub) is routed through the VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

13 Replies 13
ConnorL
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
Thursday
Thursday

Have you enabled Client VPN &/or AnyConnect subnets on the Site to Site VPN page?

 

ConnorL_0-1757586730659.png

 

athan1234
A model citizen
Thursday
Thursday

In the spoke's Security & SD-WAN > Configure > Site-to-Site VPN under "Local networks", I see:

  • Client VPN: Enabled, 192.168.251.0/24

Should I add the hub network as an additional entry?

  • Name: Hub Servers
  • VPN mode: Enabled
  •  there is not opcion to add a Subnet: 192.168.98.0/24

Will this tell the spoke to advertise hub networks as accessible to Client VPN users through AutoVPN?

 

athan1234_0-1757588521810.pngathan1234_1-1757588590816.png

 

 

 

 

0 Kudos
In response to athan1234
ww
Kind of a big deal
Kind of a big deal
Thursday
Thursday

Afaik L2tp doesnt advertise subnets to client vpn users.

The client should use full tunnel to meraki.

Or

In case of split vpn, You should config  the client vpn with (static)  routes.  @PhilipDAth had made a script i believe

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

In response to ww
athan1234
A model citizen
Thursday
Thursday

Thanks for confirming that L2TP doesn't advertise subnets automatically. 

Current situation:

  • Hub advertises 192.168.98.0/24 via AutoVPN (confirmed in dashboard)
  • Client VPN on spoke assigns full tunnel (0.0.0.0/0 route via VPN)
  • Users still cannot reach hub servers

Question: Since these users specifically need access to hub servers, would creating the Client VPN directly on the hub solve this routing issue entirely? This seems like the simpler solution given the L2TP limitations.

However, I'm confused about one thing: If the hub is advertising 192.168.98.0/24 via AutoVPN, and the spoke should receive this route, why don't I see this route when connected as a Client VPN user? Shouldn't the spoke know how to reach the hub network and forward the traffic accordingly?

Is this a fundamental limitation where Client VPN traffic doesn't use the AutoVPN learned routes, even in full tunnel mode?

Considering Philip DAth's script vs. moving Client VPN to hub for simplicity.

Thanks for the clarification!

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
Thursday
Thursday

Sorry, but have you tried doing a packet capture?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
athan1234
A model citizen
Thursday
Thursday

Ok but i would like to know yhis question if it is possible 

 

 If the hub is advertising 192.168.98.0/24 via AutoVPN, and the spoke should receive this route, why don't I see this route when connected as a Client VPN user? Shouldn't the spoke know how to reach the hub network and forward the traffic accordingly?

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
Thursday
Thursday

Yes, but the question is, is this hub declared as a hub for this spoke?

Packet capture will tell you where the traffic is stopping.

Also, have you validated the Spoke's routing table to see if it's actually receiving this route?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
athan1234
A model citizen
Thursday
Thursday

I reply to you in bolt letter 

 

Yes, but the question is, is this hub declared as a hub for this spoke?

yes 

 

 

Also, have you validated the Spoke's routing table to see if it's actually receiving this route?

yes on the sopke yes .

athan1234_0-1757600897885.png

 

One more thing — is it possible, in the spoke, to check the IPv4 default route to reach the hub?

 

athan1234_1-1757600924544.png

 

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
Thursday
Thursday

Try adding the route manually on your Windows computer.

 

https://documentation.meraki.com/MX/Client_VPN/Configuring_Split_Tunnel_Client_VPN

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
athan1234
A model citizen
Thursday
Thursday

Okay, it's an option, but then each user will have to add the route to reach the server — it's a mess.

Do you think it will work if I check the default IPv4 address?

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
Thursday
Thursday

When configuring hubs for a spoke, there is an option to select a hub as a Default route. If this option is selected, then that hub will be configured as a default route for the spoke (0.0.0.0/0). Any traffic that is not sent to a configured VPN peer network, a static route or local network will be sent to the default route. This routing will apply to any traffic originating from subnets set to, "In VPN" or that have VPN mode "Enabled."  Subnets that have VPN mode "Disabled" will not adhere to the VPN routing tables. Multiple hubs can be selected as default routes. Hubs marked as default routes take priority in descending order (first priority at the top).

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
athan1234
A model citizen
Friday
Friday

Hi everyone,

I want to confirm my understanding of how split tunnel and full tunnel work in Meraki:

Client VPN (Remote Users)

  • Always Full Tunnel by default - all traffic goes through VPN
  • The "IPv4 default route" checkbox in Hub configuration does NOT affect Client VPN
  • To achieve Split Tunnel: Must uncheck "Use default gateway on remote network" in Windows adapter settings
  • Result: Internet goes direct, internal resources still go through VPN automatically

Site-to-Site VPN (Between MX Appliances)

  • Controlled by "IPv4 default route" checkbox in Hub configuration
  • Checkbox CHECKED = Full Tunnel (spoke sends all traffic to hub)
  • Checkbox UNCHECKED = Split Tunnel (only specific networks go through VPN)

Key Differences

  • Client VPN: Cannot be controlled from Meraki dashboard, must configure on client side
  • Site-to-Site VPN: Controlled from Meraki dashboard with hub checkbox
  • These are independent systems - they don't affect each other

Am I correct in my understanding?

Specifically:

  1. Client VPN is always full tunnel unless you modify the Windows adapter settings?
  2. Site-to-Site VPN split/full tunnel is controlled only by the hub checkbox?
  3. These two systems are completely independent?
  4. Unchecking "use default gateway" in Windows adapter converts Client VPN to split tunnel?

Thanks for any confirmation or corrections!

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Default Behavior: Yes, Client VPN is full tunnel by default, all traffic (including internet-bound) is routed through the VPN.


Dashboard Control: Correct, Meraki Dashboard does not control split/full tunnel behavior for Client VPN.


Split Tunnel Configuration
To achieve split tunneling, you must manually uncheck “Use default gateway on remote network” in the Windows VPN adapter settings.
This causes internet traffic to go directly out the local interface, while traffic destined for internal networks (defined by the VPN subnet) still goes through the VPN.


Site-to-Site VPN
Controlled by Dashboard: Yes, the “Use VPN” and “Default Route”  settings in the Hub configuration control split vs. full tunnel.


Checkbox Behavior:
Checked = Full Tunnel: All traffic from the spoke is routed to the hub.
Unchecked = Split Tunnel: Only traffic destined for specific subnets (advertised by the hub) is routed through the VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.