setup :
- MX64 in Routed mode.
- Anyconnect installs route to a specific mgmt vlan.
- server is connected to WAN LAN port, which is configured as Access port on Meraki side.
issue:
When I am successfully connected to the MX, via Anyconnect, I am trying to ping + ssh to the server. But it times out.
Is there something basic missing here ? I am under the impression that once MX installs the route onto client machine, all comms should be opened up - it being a trustworthy inbound connection.
Are you sure that the server Is connected to the WAN port? If yes, you cannot communicate the VPN client to the WAN port, you need to change the server to a LAN port.
apologies. well spotted ! It was a typo. the server is connected to a LAN port.
ok, Does your server has an internal firewall?
actually its a switch. no FW on there. Are the clients allowed to communicate with connected end devices ? I don't have any L3/L7 FW rules or forwarding rules configured. yet.
No no, I talk about the server. Is It Linux, Windows, etc?
My bad. I should have said - its a switch, not a server. directly connected switch.
Have you configured Default Gateway IP on the switch? If you are allowing the specific subnet on Anyconnect and have no firewall rule to block It, It should work.
yes. the default GW is configured as Meraki's IP on that LAN access port. actually the IP of the switch is up/up. and when I log onto the switch locally, it CAN ping Firewall's IP. but it cannot ping the VPN client (currently connected). and the pings from client to switch do not work either.
Can you share your VPN Client configuration and Firewall rules? Do you have any group policy configured?
no group policy.
No group policy. its fresh off the box.
If possible, share the VPN Client configuration to 😅
Is the switch able to get to the Internet? Can it ping 8.8.8.8?
Can the MX ping the switch?
If it is a Cisco switch, does it have an access restriction (under line vty ...) that limits access to the local LAN?
Does the switch have the correct subnet mask? The AnyConnect pool and the switch subnet need to be unique, and the mask be correct so that the switch knows it needs to route packets via the MX.
Gents,
Your help much appreciated. There was a missing default route on the switch for traffic to be sent back ! simple things in life are often ignored. My bad.
Matter closed.
So, do you have a layer 3 switch too? it explains a lot. 😅
yup. A L3 switch.