DNS issue between 2 Meraki MX

Alain_Bensimon
Getting noticed

DNS issue between 2 Meraki MX

Hello,

I'm having the following issue.

I currently have 3 sites, Montreal, Toronto and Vancouver.

Montreal (our HQ) is equiped with a Meraki MX68, 2 domain controllers (DNS and DHCP 10.69.11.0/24).

Vancouver has an MX64 (DHCP 10.69.12.0/24).

Toronto has an old Cisco RV220 (DHCP 10.69.10.0/24).

 

I have setup site to site connection between the sites.

Montreal DNS is setup in Toronto and Vancouver DHCP.

 

In Montreal, on my DNS server, I have a zone that point to an Azure location.

From Montreal, I have no issue, I can get to it without a problem.

After I installed the Toronto connection, I realized I couldn't reach the Azure location from there because I don't have a DNS server there. I workaround the isue by creating a static route in the firewall that forced to use the WAN interface to go to the azure location.

Alain_Bensimon_0-1662310817021.png

That worked very good so far.

After I've installed the MX64 in Vancouver, I have tried to do the same thing, but unfortunately, the device does not allow to create a route that is not in an existing subnet

Alain_Bensimon_1-1662311078342.pngAlain_Bensimon_2-1662311097985.png

So currently, I cannot reach my Azure location from Vancouver.

I get stuck at my gateway 

Alain_Bensimon_3-1662311402727.png

 

16 REPLIES 16
cmr
Kind of a big deal
Kind of a big deal

@Alain_Bensimon looking at the working site, the subnet mask looks incorrect as you are sending 10.anything to the gateway, luckily more specific routes are probably overriding this, but did you mean to do that?

 

For the MX64 in Vancouver do you have a direct connection to Azure on the 207 address? I am confused as to why you aren't using the same 66. address?

So I assume that you call working site is Toronto, but no, that is the only static route I have, and it is just made to force the router to use the wan connection and it's gateway.

 

Regarding the MX64, the 66.11.93.166 is the IP address of the Cisco RV220 Gateway of Toronto, and 207.194.41.1 is the gateway address of Vancouver's MX64.

 

I'm just trying to replicate what I did in Toronto.

cmr
Kind of a big deal
Kind of a big deal

Thanks @Alain_Bensimon if you are setting a route to use the WAN connection for an unknown subnet, what is the default route at each site?

this my Toronto's routing table

Alain_Bensimon_0-1662323036798.png

 

cmr
Kind of a big deal
Kind of a big deal

The route with a red X is doing nothing as the one below covers it, I am not sure why the highlighted routes are there, do you know?

cmr_0-1662324157101.png

 

Alain_Bensimon
Getting noticed

I have no clue. I guess it was already there. Anyway, I'm planning to replace that router with an MX68 that I already have ready, but prior to it, I have to ensure that I fix the issue I have in vancouver because the same issue will come in Toronto as well.

ww
Kind of a big deal
Kind of a big deal

How do you connect 10.200.x.x because its a private range so its not reachable on the internet. You have some kind of vpn or private wan to azure somewhere?

 

In case its a static route in Montreal then you have to advertise that route into your autovpn

In have a zone on my domain controller in Montreal.

ifs.*****gro.com

when Vancouver's clients get their DHCP, one of the name servers is the IP address of that DC, so they are looking into that DNS records and get stuck.

If I disable that name server in the DHCP, then the clients go through the Internet with no problem, but then they can't resolve Montreal resourcese's names.

ww
Kind of a big deal
Kind of a big deal

How does Montreal route to 10.200.x.x?

well, I assume that since I have my DC and DNS on site, it finds it's route.

 

By the way, if I modify the hosts file of Vancouver's clients, it works, but I would prefer a better way.

 

cmr
Kind of a big deal
Kind of a big deal

If you ping one of the hosts in the *gro.com domain from Vancouver do you get different IP addresses with and without the Montreal DNS server active?

well, if I disable the Montreal DNS, Vancouver can only ping IP adresses, no names.

cmr
Kind of a big deal
Kind of a big deal

Do the clients in Montreal only have the one DNS server (the same one that Vancouver has)?

yes

cmr
Kind of a big deal
Kind of a big deal

I think you might have a DNS entry for something in Azure on your DNS server that conflicts with what is seen when you bypass it. Would that be the case and if so does it need to be there for the azure host to work from the Montreal site? 

Alain_Bensimon
Getting noticed

in my Montreal DNS server, I have this:

Alain_Bensimon_0-1662328433919.png

I'm pretty sure that If I had a DC in Vancouver, I wouldn't have that issue.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels