Meraki

Community

DNS issue between 2 Meraki MX

Alain_Bensimon
Getting noticed
‎Sep 4 2022 10:10 AM
‎Sep 4 2022 10:10 AM

DNS issue between 2 Meraki MX

Hello,

I'm having the following issue.

I currently have 3 sites, Montreal, Toronto and Vancouver.

Montreal (our HQ) is equiped with a Meraki MX68, 2 domain controllers (DNS and DHCP 10.69.11.0/24).

Vancouver has an MX64 (DHCP 10.69.12.0/24).

Toronto has an old Cisco RV220 (DHCP 10.69.10.0/24).

 

I have setup site to site connection between the sites.

Montreal DNS is setup in Toronto and Vancouver DHCP.

 

In Montreal, on my DNS server, I have a zone that point to an Azure location.

From Montreal, I have no issue, I can get to it without a problem.

After I installed the Toronto connection, I realized I couldn't reach the Azure location from there because I don't have a DNS server there. I workaround the isue by creating a static route in the firewall that forced to use the WAN interface to go to the azure location.

Alain_Bensimon_0-1662310817021.png

That worked very good so far.

After I've installed the MX64 in Vancouver, I have tried to do the same thing, but unfortunately, the device does not allow to create a route that is not in an existing subnet

Alain_Bensimon_1-1662311078342.pngAlain_Bensimon_2-1662311097985.png

So currently, I cannot reach my Azure location from Vancouver.

I get stuck at my gateway 

Alain_Bensimon_3-1662311402727.png

 

0 Kudos
16 Replies 16
cmr
Kind of a big deal
Kind of a big deal
‎Sep 4 2022 12:52 PM
‎Sep 4 2022 12:52 PM

@Alain_Bensimon looking at the working site, the subnet mask looks incorrect as you are sending 10.anything to the gateway, luckily more specific routes are probably overriding this, but did you mean to do that?

 

For the MX64 in Vancouver do you have a direct connection to Azure on the 207 address? I am confused as to why you aren't using the same 66. address?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Alain_Bensimon
Getting noticed
‎Sep 4 2022 1:16 PM
‎Sep 4 2022 1:16 PM

So I assume that you call working site is Toronto, but no, that is the only static route I have, and it is just made to force the router to use the wan connection and it's gateway.

 

Regarding the MX64, the 66.11.93.166 is the IP address of the Cisco RV220 Gateway of Toronto, and 207.194.41.1 is the gateway address of Vancouver's MX64.

 

I'm just trying to replicate what I did in Toronto.

0 Kudos
In response to Alain_Bensimon
cmr
Kind of a big deal
Kind of a big deal
‎Sep 4 2022 1:19 PM
‎Sep 4 2022 1:19 PM

Thanks @Alain_Bensimon if you are setting a route to use the WAN connection for an unknown subnet, what is the default route at each site?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Alain_Bensimon
Getting noticed
‎Sep 4 2022 1:24 PM
‎Sep 4 2022 1:24 PM

this my Toronto's routing table

Alain_Bensimon_0-1662323036798.png

 

0 Kudos
In response to Alain_Bensimon
cmr
Kind of a big deal
Kind of a big deal
‎Sep 4 2022 1:42 PM
‎Sep 4 2022 1:42 PM

The route with a red X is doing nothing as the one below covers it, I am not sure why the highlighted routes are there, do you know?

cmr_0-1662324157101.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Alain_Bensimon
Getting noticed
‎Sep 4 2022 1:46 PM
‎Sep 4 2022 1:46 PM

I have no clue. I guess it was already there. Anyway, I'm planning to replace that router with an MX68 that I already have ready, but prior to it, I have to ensure that I fix the issue I have in vancouver because the same issue will come in Toronto as well.

0 Kudos
In response to Alain_Bensimon
ww
Kind of a big deal
Kind of a big deal
‎Sep 4 2022 1:49 PM
‎Sep 4 2022 1:49 PM

How do you connect 10.200.x.x because its a private range so its not reachable on the internet. You have some kind of vpn or private wan to azure somewhere?

 

In case its a static route in Montreal then you have to advertise that route into your autovpn

0 Kudos
In response to ww
Alain_Bensimon
Getting noticed
‎Sep 4 2022 1:54 PM
‎Sep 4 2022 1:54 PM

In have a zone on my domain controller in Montreal.

ifs.*****gro.com

when Vancouver's clients get their DHCP, one of the name servers is the IP address of that DC, so they are looking into that DNS records and get stuck.

If I disable that name server in the DHCP, then the clients go through the Internet with no problem, but then they can't resolve Montreal resourcese's names.

0 Kudos
In response to Alain_Bensimon
ww
Kind of a big deal
Kind of a big deal
‎Sep 4 2022 2:03 PM
‎Sep 4 2022 2:03 PM

How does Montreal route to 10.200.x.x?

0 Kudos
In response to ww
Alain_Bensimon
Getting noticed
‎Sep 4 2022 2:05 PM
‎Sep 4 2022 2:05 PM

well, I assume that since I have my DC and DNS on site, it finds it's route.

 

By the way, if I modify the hosts file of Vancouver's clients, it works, but I would prefer a better way.

 

0 Kudos
In response to Alain_Bensimon
cmr
Kind of a big deal
Kind of a big deal
‎Sep 4 2022 2:06 PM
‎Sep 4 2022 2:06 PM

If you ping one of the hosts in the *gro.com domain from Vancouver do you get different IP addresses with and without the Montreal DNS server active?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Alain_Bensimon
Getting noticed
‎Sep 4 2022 2:08 PM
‎Sep 4 2022 2:08 PM

well, if I disable the Montreal DNS, Vancouver can only ping IP adresses, no names.

0 Kudos
In response to Alain_Bensimon
cmr
Kind of a big deal
Kind of a big deal
‎Sep 4 2022 2:15 PM
‎Sep 4 2022 2:15 PM

Do the clients in Montreal only have the one DNS server (the same one that Vancouver has)?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Alain_Bensimon
Getting noticed
‎Sep 4 2022 2:16 PM
‎Sep 4 2022 2:16 PM

yes

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Sep 4 2022 2:51 PM
‎Sep 4 2022 2:51 PM

I think you might have a DNS entry for something in Azure on your DNS server that conflicts with what is seen when you bypass it. Would that be the case and if so does it need to be there for the azure host to work from the Montreal site? 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Alain_Bensimon
Getting noticed
‎Sep 4 2022 3:14 PM
‎Sep 4 2022 3:14 PM

in my Montreal DNS server, I have this:

Alain_Bensimon_0-1662328433919.png

I'm pretty sure that If I had a DC in Vancouver, I wouldn't have that issue.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.