Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issues Implementing Umbrella Cloud On-Ramp

Brash
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

Issues Implementing Umbrella Cloud On-Ramp

I'm working on implementing Meraki to Umbrella SIG Tunnels (using Cloud On-ramp) but am seeing some strange behaviour.

 

The existing topology is relatively simple - single MX hub at the HQ and around 30 branch locations as spokes.

The hub at the HQ is a VPN concentrator and advertises around 6 subnets.

 

At a branch location, soon as I add the two Umbrella hubs all network traffic (including that which should go to the HQ) is sent to the Umbrella tunnel, and therefore black-holed.

 

I've got a ticket open with Meraki support already who suggested there may be something messed with the routing table implementation?

Has anyone with a similar setup seen issues like this?

0 Kudos
Subscribe
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

Have you reviewed these documents?

 

https://documentation.meraki.com/MX/Site-to-site_VPN/MX_and_Umbrella_SIG_IPSec_Tunnel

 

https://docs.umbrella.com/umbrella-user-guide/docs/configure-tunnels-with-meraki-mx

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

I am very uncertain of this so could be very wrong ...

 

I believe all on-premise sites need to be spokes.  So you need to change your hub to a spoke.  You need to move your current AnyConnect termination to Umbrella.  Users need to VPN into there.

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

This will be related to it.
https://documentation.meraki.com/MX/Meraki_Umbrella_SDWAN_Connector/Deployment_Guide 

"Due to the default Meraki Auto-VPN design, all VPN hubs in an organization will automatically tunnel to all other hubs in an organization. This behaviour changes for the Meraki Umbrella SDWAN Connector solution, when the connector hubs are deployed, all other hubs in the organization will not automatically tunnel to SIG and all hub traffic will not be defaulted to Umbrella. The Meraki Umbrella SDWAN Connector network hubs will not automatically tunnel to other hubs in the organization."

Subscribe
Brash
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

See I had seen this but had discounted it as I would expect the packet flow for non internet bound traffic (RFC 1918 IP's advertised by the hubs) to flow from spoke to HQ hub as it would have a more specific route than the 0.0.0.0/0 that gets installed for Umbrella.

 

And assuming that's the case I'm not too concerned about communication from the hubs to umbrella as they're deployed as VPN concentrators and at this point don't require tunnels to umbrella

0 Kudos
Subscribe
In response to Brash
PhilipDAth
Kind of a big deal
Kind of a big deal
3 weeks ago
3 weeks ago

I am very uncertain about all of this.  I haven't played in this area yet.  I could easily be wrong.

0 Kudos
Subscribe
Brash
Kind of a big deal
Kind of a big deal
Sunday
Sunday

So an update on this.

 

Meraki support and some pre-sales engineers confirmed that it is indeed a supported topology. It was found that there was some backend 'route summarization configuration' applied to the org that was not visible on the frontend.

Having support remove this backend configuration appeared to correct the routing when looking at the uplink decisions.

 

We'll be implementing the SIG tunnel again early next month with some users on-site to validate. I'll update here to confirm whether it is indeed fixed or not.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.