[MX64] - Cannot ping or ssh to end device (via Anyconnect)

mpat
Here to help

[MX64] - Cannot ping or ssh to end device (via Anyconnect)

setup :

- MX64 in Routed mode.

- Anyconnect installs route to a specific mgmt vlan. 

- server is connected to WAN LAN port, which is configured as Access port on Meraki side.

 

issue:

When I am successfully connected to the MX, via Anyconnect, I am trying to ping + ssh to the server. But it times out.

 

Is there something basic missing here ? I am under the impression that once MX installs the route onto client machine, all comms should be opened up - it being a trustworthy inbound connection.

16 REPLIES 16
alemabrahao
Kind of a big deal
Kind of a big deal

Are you sure that the server Is connected to the WAN port? If yes, you cannot communicate the VPN client to the WAN port, you need to change the server to a LAN port.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

apologies. well spotted ! It was a typo. the server is connected to a LAN port.

alemabrahao
Kind of a big deal
Kind of a big deal

ok, Does your server has an internal firewall?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
mpat
Here to help

actually its a switch. no FW on there. Are the clients allowed to communicate with connected end devices ? I don't have any L3/L7 FW rules or forwarding rules configured. yet. 

alemabrahao
Kind of a big deal
Kind of a big deal

No no, I talk about the server. Is It Linux, Windows, etc?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

My bad. I should have said - its a switch, not a server. directly connected switch. 

alemabrahao
Kind of a big deal
Kind of a big deal

Have you configured Default Gateway IP on the switch? If you are allowing the specific subnet on Anyconnect and have no firewall rule to block It, It should work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

yes. the default GW is configured as Meraki's IP on that LAN access port.  actually the IP of the switch is up/up. and when I log onto the switch locally, it CAN ping Firewall's IP. but it cannot ping the VPN client (currently connected). and the pings from client to switch do not work either. 

alemabrahao
Kind of a big deal
Kind of a big deal

Can you share your VPN Client configuration and Firewall rules? Do you have any group policy configured?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

no group policy. 

Screenshot 2022-10-18 at 13.22.36.png

mpat
Here to help

No group policy. its fresh off the box.

alemabrahao
Kind of a big deal
Kind of a big deal

If possible, share the VPN Client configuration to 😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Is the switch able to get to the Internet?  Can it ping 8.8.8.8?

 

Can the MX ping the switch?

 

If it is a Cisco switch, does it have an access restriction (under line vty ...) that limits access to the local LAN?

 

Does the switch have the correct subnet mask?  The AnyConnect pool and the switch subnet need to be unique, and the mask be correct so that the switch knows it needs to route packets via the MX.

mpat
Here to help

Gents, 

Your help much appreciated. There was a missing default route on the switch for traffic to be sent back ! simple things in life are often ignored. My bad. 
Matter closed.

alemabrahao
Kind of a big deal
Kind of a big deal

So, do you have a layer 3  switch too? it explains a lot. 😅

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
mpat
Here to help

yup. A L3 switch. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels