I have an MX67-C running in pass through mode connected to a Palo Alto firewall via ethernet. The MX is in the site to site as a spoke, is connected and can see all of the other MXs in the network. I have configured OSPF on the MX and the Palo. The neighbor relationship has been established and the Palo is reporting full adjacency. However, none of the remote MX site routes are in the Palo routing table. I am kind of at a loss right now on this one and was hoping someone may have come across this.
Solved! Go to solution.
@Cole has the MX in pass-through mode at the moment, so WAN should be okay. However it is also set up as a spoke so that won't work as far as I know.
Not sure of this Works on the lan side in passthrough mode..
But the ospf info talks about hub mode. So thats what i would try first.
"OSPF can be used to allow MX security appliances in Auto VPN 'hub' mode at the headend to advertise remote VPN subnets to neighboring layer 3 devices. This feature is useful in topologies where a large number of VPN subnets makes configuring static routes impractical."
The MX is connected to the Palo via the WAN interface and is a spoke in the Meraki site to site.
@Cole in order to use OSPF advertisements, you need to have the MX in VPN concentrator mode, not routing or pass through mode. If in this mode it would also normally be the hub of the VPN, not a spoke.
@cmrThat's been updated. Routed mode is now supported:
https://documentation.meraki.com/MX/Site-to-site_VPN/Using_OSPF_to_Advertise_Remote_VPN_Subnets
And concentrator and passthru modes are really the same modes, so passthru does work.
I think the problem here is what's already been called out. This is for VPN hubs only, spokes will not advertise routes. But I haven't tested this myself.
Oops, my bad! As @jdsilva said, the issue appears to be simply it being a spoke, not a hub. I'd only tried it in concentrator mode and wasn't aware the guidelines had changed.
If you change the MX to a hub, you can set exit hubs and this gets rid of one of the negatives. The other main one being number of tunnels, so this may not affect you unless you have a lot of sites:
The top exit hub is used unless it goes down, then the next will take over.
>The MX is connected to the Palo via the WAN interface
I was under the impression that the OSPF advertisements (when in NAT mode) only go out the LAN interfaces. I am surprised you managed to form an OSPF adjacency via the WAN interface.
That's certainly what the docs say
@Cole has the MX in pass-through mode at the moment, so WAN should be okay. However it is also set up as a spoke so that won't work as far as I know.
I put the MX back in Passthrough mode and made it a hub. After I did this, I reset the OSPF connections and rebooted both the MX and the Palo. Once they were back online they established full adjacency and the MX began advertising routes with the Palo. I did not add any statics for the network behind the Palo as the spoke sites have no need to access those networks.
Thanks to everyone for the assistance on this.
Cole
The MX is now in routed mode with the WAN interface connecting to the site to site and the LAN interface connected to the switch behind the Palo. The Palo now has all of the OSPF routes in the table and can ping hosts on the remote networks. However, I cannot access hosts via HTTPS, HTTP, ssl, etc. from the Palo network. I believe this is due to the fact that the subnet is not known to the remote networks because the MX will only advertise and not learn. According to the docs a static route is needed but I do not know where to add it.
I also meant to mention that it is now a hub as well.
You add them under the Security & SD-WAN / Site-to-site VPN page where you changed it from Spoke to Hub and enable VPN participation as below:
The issue is traffic getting back the local subnet behind the Palo. According to the documentation there needs to be a static route:
Maybe I am misreading this?
The routes behind the Palo are considered local to the MX if you want other Auto-VPN members to be able to see them, is that what you want?
Yes, that is correct.
In routed mode, add the routes on Security & SD-WAN / Addressing & VLANs where you can set a gateway to the other network, sorry, post above was how to do it in concentrator mode.
Then on the other tab make sure to set VPN on under VPN settings for each network you want the other sites to know about.
Thanks, I know where to add them the problem is everytime I do it I get an error like the one below:
This is where I am getting stuck.
Do the second and third blanks reference items in the site that this MX is in, or another site? Do you have a summary route on the MX that includes the one you are trying to add?
The blanks refer to a remote subnet that is on the Meraki site to site.
The MX should already know those, this section is for adding routes that are not known to Meraki, i.e the ones the other side of the Palo that you want the other Meraki SD-WAN sites to know about.