Meraki

Community

Loss Internet after Site to Site VPN is up

Solved
Hudson_J
Conversationalist
‎Jan 30 2020 6:09 PM
‎Jan 30 2020 6:09 PM

Loss Internet after Site to Site VPN is up

Hi Guys, 

 

Maybe I didn't get the right configuration but after I setup a site to site tunnel between two MX over Internet, hosts sitting behind these two MX can't access Internet any more.

I can see remote site routes on both ends, and hosts can talk to each other. Just not sure where to configure to resume Internet access.

 

Thanks.

0 Kudos
1 Accepted Solution
In response to Hudson_J
Hudson_J
Conversationalist
‎Feb 3 2020 2:21 PM
‎Feb 3 2020 2:21 PM

Thank you guys for the input.

I've found it by following your thoughts. It's about the routes and mis-configuration of Exit Hub.

 

Thank you all.

View solution in original post

0 Kudos
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 30 2020 6:31 PM
‎Jan 30 2020 6:31 PM

If one of them is a spoke make sure you haven't select the default route option.

1.PNG

 

Under Security and SD-WAN/Site-To-Site-VPN make sure you have not defined any "Site-to-site outbound firewall" rules.

 

 

Failing that, can you ping by IP address, for example does "ping 8.8.8.8" work from a workstation?

If that works, can you ping using DNS, for example does "ping www.google.com" work from a workstation?

In response to PhilipDAth
Hudson_J
Conversationalist
‎Jan 30 2020 6:35 PM
‎Jan 30 2020 6:35 PM

Thanks for the reply, Philip.

The thing is we need a full mesh topology and all sites have their own Internet resource.

So there is no spoke site. And at each site I see more then one default routes.

One points to WAN uplink (Internet), others point to remote VPN sites. But I don't know how to remove the unnecessary ones.

And Site-to-Site outbound firewall has one default policy allowing everything.

0 Kudos
In response to Hudson_J
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 30 2020 6:38 PM
‎Jan 30 2020 6:38 PM

Using all hub sites is fine.

 

Have any of the sites got a static default route configured?  If so click on them and untick "Include in VPN".

0 Kudos
In response to PhilipDAth
Hudson_J
Conversationalist
‎Jan 30 2020 6:40 PM
‎Jan 30 2020 6:40 PM

No static route at this point, hosts are directly attached to MX.

0 Kudos
In response to Hudson_J
cmr
Kind of a big deal
Kind of a big deal
‎Jan 31 2020 1:29 AM
‎Jan 31 2020 1:29 AM

Under Security & SD-WAN got to the tab below and check which routes are advertised over the VPN, if your default route is here then change it to VPN off in the circled drop-down:

 

cmr_0-1580462948246.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Hudson_J
Hudson_J
Conversationalist
‎Feb 3 2020 2:21 PM
‎Feb 3 2020 2:21 PM

Thank you guys for the input.

I've found it by following your thoughts. It's about the routes and mis-configuration of Exit Hub.

 

Thank you all.

0 Kudos
In response to PhilipDAth
George01
New here
‎Feb 3 2020 10:56 PM
‎Feb 3 2020 10:56 PM

Helpful

I was also facing same issue but now it is fixed. 

Thank you.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.