Meraki

Community

MX100 communication problem with Active Directory

lmruiz
Comes here often
‎Mar 29 2019 5:35 AM
‎Mar 29 2019 5:35 AM

MX100 communication problem with Active Directory

Greetings,


I have my MX100 with another MX100 in Spare mode and I have proceeded to make the following configuration:
Wan 1: 172.20.2.0/24 ISP 100 MB
Wan 2: 192.168.0.0/16 ISP 300 MB

In these MX I have configured 2 lan:
- Id lan 1 External 192.168.51.0/24
- Id lan 20 Internal 192.168.52.0/24

I have configured the lan 20 output rules for Wan 1 and lan 1 for wan 2

Everything works perfectly, lan 20 communicates with the servers that are behind 172.20.2.0 and when I do speed test it shows me the 2 speeds of the routers according to which lan is connected.

The problem comes when I want to configure Active directory with Meraki, I go to SD-WAN> Active Directory and configure everything leaving the configuration like this:
Short domain Ip server Admin.domain password state
Contoso 172.20.2.X XXX XXXX XXXX accept

I find the groups, but the problem is when I want to save the configuration, I get the following error:

There have been errors when saving this configuration:
The IP address 172.20.2.X is not on a configured local subnet, nor a remote subnet on the VPN.


Can someone help me? 

 

 

Thanks so much!

0 Kudos
8 Replies 8
jdsilva
Kind of a big deal
‎Mar 29 2019 7:21 AM
‎Mar 29 2019 7:21 AM

Yeh, that's an annoying one. You have a firewall rule configured with a subnet, the one in the error, that doesn't exist in the Addressing & VLANs page. Go modify or delete that firewall rule and this error will go away.

 

 

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
lmruiz
Comes here often
‎Mar 31 2019 11:40 PM
‎Mar 31 2019 11:40 PM

Greetings,


First of all, thank you for answering.

In rules of the firewall I have gone to I don't appear any rule configured in the matter, I leave capture so that you see the problem in the matter

fraca2.JPG

 

If anyone else can help me, I'd be very grateful.

0 Kudos
In response to lmruiz
jdsilva
Kind of a big deal
‎Apr 1 2019 7:40 AM
‎Apr 1 2019 7:40 AM

Oh shoot, sorry @lmruiz , that error can pop up in a few different ways. I didn't notice that it was complaining about your AD server. 

 

Is your AD server in a subnet attached to the MX? Or does the MX have a route to the destination if it's not attached?

 

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
lmruiz
Comes here often
‎Apr 1 2019 7:46 AM
‎Apr 1 2019 7:46 AM

The AD is at 172.20.2.20 (ip distributed by the AD) and users will connect to 192.168.52.0/24.

There are flow preference rules configured and I want users to log in by AD in meraki

0 Kudos
In response to lmruiz
jdsilva
Kind of a big deal
‎Apr 1 2019 7:53 AM
‎Apr 1 2019 7:53 AM

Is 172.20.2.20 in a subnet directly connected to the MX? Do you have an entry for that subnet in the Addressing & VLANs page?

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
lmruiz
Comes here often
‎Apr 1 2019 7:56 AM
‎Apr 1 2019 7:56 AM

the 172.20.2.20 is a subnet that enters through wan 1 and there is no rule defined for this in the section of SD-WAN--> Vlan and address.

0 Kudos
In response to lmruiz
jdsilva
Kind of a big deal
‎Apr 1 2019 7:58 AM
‎Apr 1 2019 7:58 AM

OK, this is the problem... Why is your AD server out an "Internet" port on the MX? It should be on the LAN side.

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
lmruiz
Comes here often
‎Apr 1 2019 7:59 AM
‎Apr 1 2019 7:59 AM

Should I change the ip to the AD and put one of the lanes on it?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.