MX100 communication problem with Active Directory

lmruiz
Comes here often

MX100 communication problem with Active Directory

Greetings,


I have my MX100 with another MX100 in Spare mode and I have proceeded to make the following configuration:
Wan 1: 172.20.2.0/24 ISP 100 MB
Wan 2: 192.168.0.0/16 ISP 300 MB

In these MX I have configured 2 lan:
- Id lan 1 External 192.168.51.0/24
- Id lan 20 Internal 192.168.52.0/24

I have configured the lan 20 output rules for Wan 1 and lan 1 for wan 2

Everything works perfectly, lan 20 communicates with the servers that are behind 172.20.2.0 and when I do speed test it shows me the 2 speeds of the routers according to which lan is connected.

The problem comes when I want to configure Active directory with Meraki, I go to SD-WAN> Active Directory and configure everything leaving the configuration like this:
Short domain Ip server Admin.domain password state
Contoso 172.20.2.X XXX XXXX XXXX accept

I find the groups, but the problem is when I want to save the configuration, I get the following error:

There have been errors when saving this configuration:
The IP address 172.20.2.X is not on a configured local subnet, nor a remote subnet on the VPN.


Can someone help me? 

 

 

Thanks so much!

8 REPLIES 8
jdsilva
Kind of a big deal

Yeh, that's an annoying one. You have a firewall rule configured with a subnet, the one in the error, that doesn't exist in the Addressing & VLANs page. Go modify or delete that firewall rule and this error will go away.

 

 

lmruiz
Comes here often

Greetings,


First of all, thank you for answering.

In rules of the firewall I have gone to I don't appear any rule configured in the matter, I leave capture so that you see the problem in the matter

fraca2.JPG

 

If anyone else can help me, I'd be very grateful.

jdsilva
Kind of a big deal

Oh shoot, sorry @lmruiz , that error can pop up in a few different ways. I didn't notice that it was complaining about your AD server. 

 

Is your AD server in a subnet attached to the MX? Or does the MX have a route to the destination if it's not attached?

 

lmruiz
Comes here often

The AD is at 172.20.2.20 (ip distributed by the AD) and users will connect to 192.168.52.0/24.

There are flow preference rules configured and I want users to log in by AD in meraki

jdsilva
Kind of a big deal

Is 172.20.2.20 in a subnet directly connected to the MX? Do you have an entry for that subnet in the Addressing & VLANs page?

lmruiz
Comes here often

the 172.20.2.20 is a subnet that enters through wan 1 and there is no rule defined for this in the section of SD-WAN--> Vlan and address.

jdsilva
Kind of a big deal

OK, this is the problem... Why is your AD server out an "Internet" port on the MX? It should be on the LAN side.

lmruiz
Comes here often

Should I change the ip to the AD and put one of the lanes on it?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels