Meraki

Community

Meraki MX to MX VPN not working over Global Roaming Cellular

lawrencedecosta
Conversationalist
‎Mar 20 2023 7:27 PM
‎Mar 20 2023 7:27 PM

Meraki MX to MX VPN not working over Global Roaming Cellular

Ive got MX's located overseas eg Vietnam, Thailand, Singapore.  Im using a Global Roaming SIM with its parent carrier based in HK (hence all internet traffic comes out of the HK gateway).

 

The cellular backup for Meraki management traffic and direct internet traffic works fine with the Global Roaming SIM, but the moment we try to launch Meraki VPN, it fails as if something in the Global Roaming path is blocking it.

 

Global Roaming does create carrier to carrier tunnels I think and that may reduce the payload MTU and MAY interfere with VPN.. 

Also, the MTU size selection in Meraki is not selectable for Cellular WAN interface so we could not reduce MTU.

 

Does anybody know if a local SIM works in Asian countries for cellular Meraki VPN ?

Has anybody else seen this problem before and what did you end up doing ?

 

Thanks

Labels:
0 Kudos
3 Replies 3
jbright
A model citizen
‎Mar 20 2023 7:56 PM
‎Mar 20 2023 7:56 PM

Meraki TAC can manipulate the MTU on MX interfaces.

You will need to open a case with TAC and ask them to change it.

I have had to do this in the past on an old DSL circuit that needed a lower MTU

in order for the site-to-site VPN tunnel to work over it.

 

0 Kudos
In response to jbright
lawrencedecosta
Conversationalist
‎Mar 20 2023 8:09 PM
‎Mar 20 2023 8:09 PM

Thanks jbright, but in this case, we needed the MTU change on the Cellular interface and the TAC said that MTU reduction on cellular was not possible  ie only on terrestrial /Ethernet WAN interfaces...   dont know why this is the case, whether its because the OEM 4G MOdule on the Meraki MX67C is not flexible etc etc ...    Thanks so much for your input though...

0 Kudos
GreenMan
Meraki Employee
Meraki Employee
‎Mar 21 2023 6:34 AM
‎Mar 21 2023 6:34 AM

Carrier Grade NAT may be playing a role here, too - running pcaps at both ends can reveal if the mobile carrier is manipulating ports in a way that fools the UDP punch process.   Switching to Manual NAT traversal at the Hub end, choosing a UDP port between 1025 and 32768, but avoiding 4500 may help.   More on setting this up here:  https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.