- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[MX64] - Cannot ping or ssh to end device (via Anyconnect)
setup :
- MX64 in Routed mode.
- Anyconnect installs route to a specific mgmt vlan.
- server is connected to WAN LAN port, which is configured as Access port on Meraki side.
issue:
When I am successfully connected to the MX, via Anyconnect, I am trying to ping + ssh to the server. But it times out.
Is there something basic missing here ? I am under the impression that once MX installs the route onto client machine, all comms should be opened up - it being a trustworthy inbound connection.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure that the server Is connected to the WAN port? If yes, you cannot communicate the VPN client to the WAN port, you need to change the server to a LAN port.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
apologies. well spotted ! It was a typo. the server is connected to a LAN port.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, Does your server has an internal firewall?
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
actually its a switch. no FW on there. Are the clients allowed to communicate with connected end devices ? I don't have any L3/L7 FW rules or forwarding rules configured. yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No no, I talk about the server. Is It Linux, Windows, etc?
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad. I should have said - its a switch, not a server. directly connected switch.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you configured Default Gateway IP on the switch? If you are allowing the specific subnet on Anyconnect and have no firewall rule to block It, It should work.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes. the default GW is configured as Meraki's IP on that LAN access port. actually the IP of the switch is up/up. and when I log onto the switch locally, it CAN ping Firewall's IP. but it cannot ping the VPN client (currently connected). and the pings from client to switch do not work either.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share your VPN Client configuration and Firewall rules? Do you have any group policy configured?
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no group policy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No group policy. its fresh off the box.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If possible, share the VPN Client configuration to 😅
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the switch able to get to the Internet? Can it ping 8.8.8.8?
Can the MX ping the switch?
If it is a Cisco switch, does it have an access restriction (under line vty ...) that limits access to the local LAN?
Does the switch have the correct subnet mask? The AnyConnect pool and the switch subnet need to be unique, and the mask be correct so that the switch knows it needs to route packets via the MX.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gents,
Your help much appreciated. There was a missing default route on the switch for traffic to be sent back ! simple things in life are often ignored. My bad.
Matter closed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, do you have a layer 3 switch too? it explains a lot. 😅
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yup. A L3 switch.