MX 67 to MX 250 tunnel is up - can only ping one device on the remote network?

bill_berry32
Conversationalist

MX 67 to MX 250 tunnel is up - can only ping one device on the remote network?

Hello Everyone,

 

We have a, MX67 at a remote location with a working tunnel to an MX-250 at corporate.  The 67 is bound to a template that is working fine at many other locations.  Everything is green on vpn status.

 

The 67 shows several active IP's but only one (an old camera system) is pingable via the tunnel.  A pc there can access the internet but not anything via the tunnel.  - We can ping the MX-250 from that pc but nothing past that.  We have rebooted the 67, unbound/rebound the template.  From corporate I can ping the VLAN interface but only the camera system IP.

 

Any ideas would be appreciated.  Thanks!

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you got any Meraki VPN firewall rules defined?

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Firewall_Rule_Behavior

 

Have the hosts at either end got a software firewall enabled (like Windows Firewall) that might be blocking the traffic?

 

Is the default gateway at each end the MX or is their some other L3 routing device involved in the design?

bill_berry32
Conversationalist

There are rules defined by the template but they are working at other sites.  It's a very simple rule set

 

Firewall is turned off on all clients - even VOIP phones aren't pingable...

 

The clients are connected to an L2 switch but we bypassed it already and nothing changed.  We plugged one unpingable client directly into the Meraki and it still wouldn't ping.

 

At this point we are going to replace the client side device and re provision.

 

I'll let you know what happens!

 

The one thing that made me smile is that the store manager refers to the MX67 as the Melarkey. 🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels