MX400 Default route towards LAN

Stoerfaktor
Here to help

MX400 Default route towards LAN

For a customer we have build a Hub&Spoke VPN, but the customer has to use the internet access of the parent company. Therefore we installed a static default route on the hub (MX400) towards to the customer. However, it seems that default route does not work, as all the spokes are unable to reach sites in the internet.

 

For testing purposes and as a workaround, we have started to add a bunch of static routes for destinations in the internet on the MX400, and those destinations can be reached by the spokes. It seems it is only the default route that is not working. And yes, I checked that the spokes are using the default route to the hub 🙂

 

Does anyone else have experience with this? Is it not possible to use a default route towards LAN?

8 Replies 8
ww
Kind of a big deal
Kind of a big deal

You advertise  the default route at mx400 into vpn?

Try uncheck default route at the spoke config

Stoerfaktor
Here to help


@ww wrote:

You advertise  the default route at mx400 into vpn?

Try uncheck default route at the spoke config


We tried to advertise the static default route as well (which should not be necessary), but it did not make any difference.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you do a packet capture on the MX400 LAN, do you see the traffic arriving from the spokes?  If so - the issue is upstream (check they have routes for your spokes, firewall rules allow it, etc).  If not, you have an issue on the Meraki side.

Stoerfaktor
Here to help


@jdsilva @cmr 

You cannot put a default route with a next hop reached via a LAN port. That will break the MX completely as it interferes with the WAN port reaching the cloud. If the WAN port can't reach the cloud then the MX doesn't forward traffic. It will also interfere with AutoVPN and establishing tunnels.

 


You can install a default route towards LAN, and AutoVPN will work fine. Also, cloud reachability is afaik not influenced by static routes. I assume there is an internal routing for the cloud ranges that overrides anything you configure in the dashboard. I tried to static route the ranges of the meraki cloud towards LAN in the lab, and the MX happily ignores them and sends the traffic out over WAN. 🙂

 

If you do a packet capture on the MX400 LAN, do you see the traffic arriving from the spokes?  If so - the issue is upstream (check they have routes for your spokes, firewall rules allow it, etc).  If not, you have an issue on the Meraki side.


The packet capture shows the packets arriving on the MX400 and leaving on the LAN port, but we never get a reply back. As soon as I enter a static route for a prefix, that prefix suddenly seems to work. However, I have not been able yet to run packet captures with that to verify that the replies actualy come back over LAN. Perhaps we have some asymmetric routing going on and haven't noticed it yet. I will follow up on this as soon as I get hold of the customer for some tests.
jdsilva
Kind of a big deal

Sorry, maybe I misunderstand, but are you just trying to do a full tunnel from the spoke to the hub? You can do that in the site to site VPN settings:

 

jdsilva_0-1599165514294.png

 

You cannot put a default route with a next hop reached via a LAN port. That will break the MX completely as it interferes with the WAN port reaching the cloud. If the WAN port can't reach the cloud then the MX doesn't forward traffic. It will also interfere with AutoVPN and establishing tunnels. 

 

The above isn't true and I misspoke.

 

cmr
Kind of a big deal
Kind of a big deal

As @jdsilva says, you cannot simply default route to the LAN, your options are to either make the hub a single arm concentrator where it sits inside the main site rather than on the edge and all traffic uses the WAN1 port; or to use a web proxy and point all devices to that.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
kn-kimura
Here to help

Is the return route to the spoke site configured on the next hop device?

 

You might want to check it out on the traceroute!

Tom_Shelton
Meraki Employee
Meraki Employee

There may be a way.... But it depends if you want to run beta.

 

https://documentation.meraki.com/MX/Networks_and_Routing/Source_Based_Default_Routing

 

Tom

Technical Solutions Architect, Meraki
CCIE #67185
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels