MX67C no auto VPN over LTE/4G

Solved
Mamba123
Getting noticed

MX67C no auto VPN over LTE/4G

Hello, community,

I have a little problem.

I've got two MX67C's, one is HUB and the other is Spoke. Everything works perfectly, all networks are also visible in the VPN.

Now the problem.

On the Spoke MX I use the built-in LTE modem as backup line. LTE line is also connected.

WAN1 status via cable shows active and LTE shows ready.

Everything is working. But as soon as I simulate a failure of the WAN1, that I pull the cable out of the WAN1, the dashboard and the internet runs over LTE.

But VPN remains disconnected, the VPN routes are shown as red and the VPN connection between the two MX is not established.

When I plug the cable into WAN1 again, VPN is established and the VPN routes turn green.

Why is VPN over LTE not established?

The dashboard and internet over LTE is working.

Here are the data from the MX:

MX67C-WW
Firmware 14.42

Thanks.

1 Accepted Solution
Mamba123
Getting noticed

Hi, Phil,

Thanks for your message. I spoke with the ISP and he confirmed that we got a wrong SIM card where the VPN functionality is not enabled. Now they want to send me another card.

Thank you.

View solution in original post

4 Replies 4
DensyoV
Meraki Employee
Meraki Employee

Hi,

 

A quick packet captures on the cellular interface of the MX and the WAN interface of the hub should reveal whether the devices are sending UDP packets to build the auto-VPN. A successful connection should show bidirectional or two-way UDP traffic between the peers. If you see unidirectional traffic only on either or both peers, then the traffic is being dropped or filtered upstream. Service providers use CGNAT (carrier-grade NAT) in cellular deployments which is known to cause issues with auto-VPN connection due to how this is implemented. 

 

 

Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.
Mamba123
Getting noticed

Hello,

I opened a ticket at Meraki and Meraki technician did exactly what you write. He pulled traces from both sides and he only sees unidirectional traffic. He also told me to talk to my ISP.

Thanks again for your message.

 

BR
Mamba

PhilipDAth
Kind of a big deal
Kind of a big deal

This is typically because the APN being used blocks inbound UDP traffic.

 

Your cellular data provider might have some other APNs you can use that don't block the traffic.

Mamba123
Getting noticed

Hi, Phil,

Thanks for your message. I spoke with the ISP and he confirmed that we got a wrong SIM card where the VPN functionality is not enabled. Now they want to send me another card.

Thank you.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels