MX400 Client VPN unable to ping other IPs

JamesHarrris
New here

MX400 Client VPN unable to ping other IPs

I have an MX400 which has a working Client VPN setup with AD auth. I've recently had to change it from "routed" to "passthrough" to go through a separate upstream router/firewall (Fortigate). Every other function is working but for the Client VPN. I can connect, but am then unable to ping any other IP on the network, never mind accessing resources.

I have assigned a static IP to the MX400, a Client VPN subnet in a different range from the LAN, and as I say, everything else is working as intended, eg. wifi, incoming connections, web access, SIP phones, etc. If I switch back to "routed", the Client VPN works again. I have no Layer 3 firewall rules.

Am I missing a setting on the MX400? All documentation points to the Client VPN in passthrough mode being fine. I'm assuming that once connected to the VPN, everything is "inside" the network, so I wouldn't need any more firewall rules on the Fortigate. Is this wrong?

(I apprecaite a pcap might help, but I have no opportunity to do this at the moment as I need the VPN working, so sorry if that's the only way to progress)

With reference to this post:

https://community.meraki.com/t5/Security-SD-WAN/Client-VPN-don-t-ping-any-local-IP/m-p/43209#M10944

I have tried unsuccessfully from two separate clients (an Android tablet and a Windows 10 PC, both working fine when in "routed")

The LAN subnet is 10.a.x.x/16, the Client VPN subnet is 10.b.x.x/16, again, working fine in "routed".

There are no VLANs.

9 Replies 9
ww
Kind of a big deal
Kind of a big deal

Does your  upstream firewall have a route back to the mx for the client vpn subnet?

Thank you for replying. It doesn't, but as I said, I assumed that once connected, the upstream firewall was effectively bypassed. I'm obviously confused about this. Should this rule be incoming or outgoing? What source or destination? I have a general web access rule for the LAN, which I've expanded to include the VPN subnet, but the LAN subnet isn't mentioned in any other rule.

I feel stupid, because you've made me realise I never looked at Help -> Firewall info whilst in passthrough mode.

ww
Kind of a big deal
Kind of a big deal

I dont really understand how your setup was before. Because moving from mx in routed mode to passthrough you lose all vlans and routing the the mx. Only the wan1 interface can do some routing.

So you would need to set a route for the vpn subnet to that wan1 interface address

https://documentation.meraki.com/MX/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Applian...

The setup is (to me) simple. A client on the internet connects to the MX Client VPN to use resources on the LAN. Previously the MX was the router/gateway/firewall. Now the connection comes through a Firewall (now the gateway for the LAN) which has rules to direct VPN (UDP 500,4500) traffic to the MX, and the connection is made succesfully, but with no ability to ping any device, internal or external.

Because these connections are inbound, and have already made it past the firewall, I don't understand why I'd need to include any more firewall rules. The VPN subnet has rules to allow external access, but even without this, I should be able to ping, eg. the MX when connected to the VPN, shouldn't I? I can't.

If I need to add a static route to enable the VPN traffic to get to those devices, where do I add it? I can't do this on the MX in passthrough mode.

 

I've managed to fit in a test this morning, and couldn't get a connected VPN to register any data on the MX packet capture tool. The Help -> Firewall info page didn't show me any firewall rules that I don't already have in place.

 

I think that the step I'm missing is static routing on the Fortigate, that would normally be handled by the MX in routed mode. Does this sound right?

ww
Kind of a big deal
Kind of a big deal

Yes, you need to add a static route on the fortigate. Like:  route <client vpn subnet> <meraki mx ip>

Again, thanks for clarifying this. Unfortunately I couldn't add a static route to the MX (10.222.0.255). The Fortigate said it would be unreachable, as it wasn't in the subnet of the LAN interface (198.18.209.107/29).

I tried adding policy routes instead for the Client VPN subnet; one on the LAN interface for LAN traffic to the LAN subnet, and one on the WAN interface for 0.0.0.0/0 for internet. I was then unable to connect to the VPN at all. The MX event log showed an incoming connection, but I think it was unable to relay anything back to the client to confirm.

I really am in the dark, and the ISP support is not responding at the moment. The Fortigate logs show nothing at all; I think they've been disabled by the ISP.

The MX and the Fortigate MUST share at least one subnet in common - otherwise how is the MX getting to the Internet?  Whatever that IP address is on the MX - the static route needs to be via that.

Whatever is the default gateway for the MX400 will need a route for the client VPN pointing to the MX.

 

If that happens to be the other firewall, then it may also need firewall rules to allow the traffic in and out the same interface (not enough information to give an answer here).

Check what the firewall says it is blocking.

Brash
Kind of a big deal
Kind of a big deal

I'm with @ww , this smells like a routing issue.

Get notified when there are additional replies to this discussion.