Meraki

Community

IPsec Tunnel Configuration Issue - Overlapping Subnets

Solved
Yahia
Comes here often
2 weeks ago
2 weeks ago

IPsec Tunnel Configuration Issue - Overlapping Subnets

Hello

I am encountering an issue when attempting to create an IPsec tunnel with a Non-Meraki peer. I received the following notification:

The settings you requested require confirmation. Please review the following list: - The VLAN subnets 10.2.2.0/24, 10.40.40.0/24, 10.50.50.0/28, 10.33.33.0/24, and 10.44.44.0/24 overlap with a remote VPN subnet on the Non-Meraki peer Tunnel-1 (10.0.0.0/8). IP traffic will be routed to the smallest subnet that contains the IP address. - A subnet on the Non-Meraki peer Tunnel-1 (10.0.0.0/8) overlaps with subnets on the network Estarta TAC - appliance (10.238.70.0/24, 10.238.71.0/24, 10.238.76.0/23, and 10.238.78.0/24). IP traffic will be routed to the smallest subnet that contains the IP address. Could you please clarify why this notification appears and whether creating the tunnel will have any impact on the network or routing due to this overlap?

 

 

Please note that Tunnel-1 is configured on the "X" network, while I am planning to create a new tunnel on the "Y" network. It's important to mention that the two networks are completely separate and have no direct connection with each other 


0 Kudos
1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

It more a informational notification.  

 

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Overlapping_Routes

 

The router will first use routes to  10.238.70.0/24, 10.238.71.0/24, 10.238.76.0/23, and 10.238.78.0/24   

All other 10.x.x.x destinations wil be routed to the new tunnel

View solution in original post

6 Replies 6
ww
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

It more a informational notification.  

 

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Overlapping_Routes

 

The router will first use routes to  10.238.70.0/24, 10.238.71.0/24, 10.238.76.0/23, and 10.238.78.0/24   

All other 10.x.x.x destinations wil be routed to the new tunnel

In response to ww
Yahia
Comes here often
2 weeks ago
2 weeks ago

Please note the a new tunnel on the different MX and network

0 Kudos
alemabrahao
Kind of a big deal
2 weeks ago
2 weeks ago

Do you have any other tunnel or within the SD Wan tunnel that is configured to use the 10.0.0.0/8 network? If you have and are configuring a new tunnel with more specific networks, the routing will have priority for the more specific networks. Can you please share a screenshot?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Yahia
Comes here often
2 weeks ago
2 weeks ago

I have two MX each MX in the sperate network 

MX-1 have Tunnel-1 remote site IP 10.0.0.0\8

MX-2 I want to create new tunnel to non-meraki device remote site IP 192.168.150.0\24

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Note that when you configure a non-Meraki VPN is is done on *every* network, unless you use tags.  To be 100% clear, it is not done on just the currently selected network.

 

Refer to step 9.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers

 

In response to PhilipDAth
Yahia
Comes here often
2 weeks ago
2 weeks ago

*"Network 1 has an MX security appliance with an established VPN tunnel to another site. Now, I want to create a new VPN tunnel from Network 2 (which also has its own MX appliance) to a different site — without any connection or dependency on Network 1's MX or its tunnels.

However, when I try to save the new tunnel configuration in Network 2, a warning message appears. This message is only a warning and does not prevent saving the configuration.

 

 

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.