The MX is connected to the Palo via the WAN interface and is a spoke in the Meraki site to site. 

Have you read through these docs?

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#OSPF_route_advertisem...

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_OSPF_to_Advertise_Remote_VPN_Subnets

@Cole in order to use OSPF advertisements, you need to have the MX in VPN concentrator mode, not routing or pass through mode.  If in this mode it would also normally be the hub of the VPN, not a spoke.

@cmrThat's been updated. Routed mode is now supported:

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_OSPF_to_Advertise_Remote_VPN_Subnets

And concentrator and passthru modes are really the same modes, so passthru does work.

I think the problem here is what's already been called out. This is for VPN hubs only, spokes will not advertise routes. But I haven't tested this myself.

http://blog.brokennetwork.ca | @jdsilva

Oops, my bad!  As @jdsilva said, the issue appears to be simply it being a spoke, not a hub.  I'd only tried it in concentrator mode and wasn't aware the guidelines had changed.

If you change the MX to a hub, you can set exit hubs and this gets rid of one of the negatives.  The other main one being number of tunnels, so this may not affect you unless you have a lot of sites:

The top exit hub is used unless it goes down, then the next will take over.

>The MX is connected to the Palo via the WAN interface

I was under the impression that the OSPF advertisements (when in NAT mode) only go out the LAN interfaces.  I am surprised you managed to form an OSPF adjacency via the WAN interface.

That's certainly what the docs say

I put the MX back in Passthrough mode and made it a hub. After I did this, I reset the OSPF connections and rebooted both the MX and the Palo. Once they were back online they established full adjacency and the MX began advertising routes with the Palo. I did not add any statics for the network behind the Palo as the spoke sites have no need to access those networks. 

Thanks to everyone for the assistance on this. 

Cole

The MX is now in routed mode with the WAN interface connecting to the site to site and the LAN interface connected to the switch behind the Palo. The Palo now has all of the OSPF routes in the table and can ping hosts on the remote networks. However, I cannot access hosts via HTTPS, HTTP, ssl, etc. from the Palo network. I believe this is due to the fact that the subnet is not known to the remote networks because the MX will only advertise and not learn. According to the docs a static route is needed but I do not know where to add it.  

I also meant to mention that it is now a hub as well.

You add them under the Security & SD-WAN / Site-to-site VPN page where you changed it from Spoke to Hub and enable VPN participation as below:

The issue is traffic getting back the local subnet behind the Palo. According to the documentation there needs to be a static route:

Maybe I am misreading this?

The routes behind the Palo are considered local to the MX if you want other Auto-VPN members to be able to see them, is that what you want?

Yes, that is correct.

In routed mode, add the routes on Security & SD-WAN / Addressing & VLANs where you can set a gateway to the other network, sorry, post above was how to do it in concentrator mode.

Then on the other tab make sure to set VPN on under VPN settings for each network you want the other sites to know about.

Thanks, I know where to add them the problem is everytime I do it I get an error like the one below:

This is where I am getting stuck.

Do the second and third blanks reference items in the site that this MX is in, or another site?  Do you have a summary route on the MX that includes the one you are trying to add?

The blanks refer to a remote subnet that is on the Meraki site to site. 

The MX should already know those, this section is for adding routes that are not known to Meraki, i.e the ones the other side of the Palo that you want the other Meraki SD-WAN sites to know about.