Meraki

tafilaj · ‎Apr 4 2019

Hi,

I have AutoVPN setup on 2 sites with MX100's

All is working as expected apart from one subnet on HUB site.

I had to connect the Lan of the MX on a existing network so usually on a Cisco ASA you set up Lan interface as /32 ip and route out to the gateway of the subnet connected but on MX when you set up the LAN as /32 it refuses and requires a /30 minimum subnet.

At this time i can access all Vlan's apart from the lan interface lan devices, I.e the server A, or any other device on 10.255.255.0/24.

Is there to make this work?

Kamome · ‎Apr 4 2019

So, you're going separate VPN and Internet traffic, right?
(VPN -> Meraki, Internet -> ASA)

Plus, "Cisco ASA you set up Lan interface as /32 ip" means you set up IP address for inside interface as /32?

PhilipDAth · ‎Apr 5 2019

I've deployed a lot of ASA's in my lifetime, and I've never configured an ASA LAN interface for a /32 and then added a static route to get to the rest of the subnet.

Why would you want to do this? Why wouldn't you use a subnet to match the existing vlan you are plugging into, weather it be a /29, /24 or whatever?

tafilaj · ‎Apr 16 2019

Hi Philip,

Thank you for taking your time to comment.
The issue I had was that traffic was not getting back to the MX, so needed to find another way to make this work.
But after some investigation it was found that server was getting the packed but replying via the default gateway and that was the ASA.
ASA was dropping the packet.
Asymmetric routing was happening.
Had to configure tcp-state-bypass on the ASA to permit this subnet to talk to VPN subnet via ASA.
All is working for TCP and UDP traffic. ICMP is still not working but i will take it.
What I should of done is connect the MX on its own Vlan.

Never rely on ASA to be a router 🙂

Meraki

Community

MX250 LAN set as /32

MX250 LAN set as /32