We have a retail store that is directly connected to our network via fiber, thus we have the AutoVPN disabled (as it is not needed).
The store is coming into our gateway (Cisco ASA) on VLAN 100.
The store is using an MX85 with SFP on WAN1 to connect directly to the fiber. WAN2 is disabled. WAN1 is configured to tag traffic with VLAN 100 and has an IP of 10.100.1.6/24. The Cisco ASA (being the gateway) has the following config:
interface Port-channel12.100
vlan 100
nameif vlan100-int
security-level 0
ip address 10.100.1.1 255.255.255.0 standby 10.100.1.2
The MX85 has three VLANs configured. VLAN 5 (10.10.1.0/25), VLAN 10 (10.10.1.128/26) and VLAN 15 (10.10.1.192/26).
Our DHCP server (10.50.1.7) sits on another VLAN (VLAN 50) which is connected to the gateway (Cisco ASA).
The routing table on the MX85 looks as such:
Stat Ver Subnet Name VLAN Next hop Dest Type
- IPv4 0.0.0.0/0 Default - - WAN uplink Default WAN Route
- IPv4 10.10.10.0/25 Retail 5 10.10.10.1 10.10.10.1 Local VLAN
- IPv4 10.10.10.128/26 Retail 10 10.10.10.129 10.10.10.129 Local VLAN
- IPv4 10.10.10.192/26 Retail 15 10.10.10.193 10.10.10.193 Local VLAN
Using the "Tools" on the "MX Security & SD-WAN" page I can ping (and get responses from) the DHCP server from the Internet interface and I can ping (and get responses from) the DHCP server from the VLAN 5, 10 and 15 interfaces. Connectivity is established. BUT, when I try to connect clients on the network behind the MX85 and permit them to use DHCP for addresses, they never get a response. I try to enable the DHCP relay on the "Security & SD-WAN" -> "DHCP" page and I get the error: "The DHCP relay IP address must be in a subnet or static route in this network."
Connectivity is clearly established and the route exists, so why can I not enable DHCP relay?
Is there an option I am missing?
Solved! Go to solution.
The ping tool is not representative for client traffic. https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Ping_Liv...
The ping tool vlans are not getting natted. Clients on mx vlans are getting natted by default to the mx wan ip. (Unless you have requested no nat at support.)
Did you create a static route in the MX pointing to the subnet of your DHCP server and the ASA as next hop?
I can't see any routes to the 10.50.1.x subnet in the information you've given us.
Its part of the default route. That subnet is behind the mx nat interface
I'm not talking about rotes on the ASA I'm talnikg about route on the MX. Because it will not work through the WAN interface.
That fails with the error: "The static LAN route "Primary" has an invalid next hop IP. The IP address 10.100.1.1 is not on a configured subnet."
Are you using routed mode or Passthrough or VPN Concentrator?
Note: The DHCP server configured must be in a subnet configured on the MX, including directly-connected VLANs, static routes, and subnets participating in AutoVPN.
https://documentation.meraki.com/MX/DHCP/Configuring_DHCP_Relay
Why not use the mx dhcp server?
We could use the MX DHCP server, however we have many other retail sites that use MXs and the AutoVPN connected to a central DHCP server. We would like to keep everything together. -- I have read the article that you posted before. We are not utilizing a third-party VPN peer. There isn't a VPN at all. The MX is directly connected to the primary network and traffic is coming in on a specific VLAN to its gateway. While a specific route does not appear in the routing table, the network path exists because I can ping the DHCP server from the MX toolset. I just can't enable or use DHCP relay. Why?
Its not part of a local vlan /autovpn or a defined static route. That subnet is on your asa so Its routed using the default route on the mx nat interface.
I dont now if dhcp relay works on other vendors with nat/pat but meraki does not support it.
You cant use autovpn to reach the dhcp server like on your other retail sites?
There is no need to use the AutoVPN. The retail store's network is coming in direct and the VLAN terminates on the ASA. There is no NAT being performed. So, in this scenario DHCP relay is not possible? The route exists (through the primary "WAN" link) but it is not in the route table so DHCP relay can't pick it up?
The ping tool is not representative for client traffic. https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Ping_Liv...
The ping tool vlans are not getting natted. Clients on mx vlans are getting natted by default to the mx wan ip. (Unless you have requested no nat at support.)
You are correct and I have been schooled. Did not realize the NAT was taking place. I had never assigned a static IP to a device on the inside of the MX for testing.
If I'm following your description of the topology the MX is the edge FW for this remote site. Outbound traffic will be natted to the WAN int IP. It sounds more like you want a traditional router function here vs. what the MX is going to do which is NAT on the outbound.
I'd say either run DHCP on the MX or use AutoVPN to a headend MX so there's a routed VPN path and NAT doesn't come into play.
The MX is the edge router for this remote site, but it is directly connected to the primary network. There is no NAT being performed. A capture on the ASA interface shows ICMPs from the MX Toolset for Internet (10.100.1.1) and VLAN 5 (10.10.10.1).