Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Meraki external route not working.

Rsharma
Comes here often
‎Dec 9 2021 1:05 AM
‎Dec 9 2021 1:05 AM

Meraki external route not working.

I have a FortiGate firewall in front of my Meraki MX appliance. FortiGate has site to site IPSEC tunnel with one of our DC and Meraki is the Hub for auto VPN setup for my other sites. i am getting some routes through Firewall IPSEC and those subnets are reachable through Meraki Hub. but when i advertise those learned routes into auto VPN my spokes cant reach those subnets though. when i try to trace these subnets instead of taking me to the auto VPN route shows it is taking the default route. is there any advise?

 

reachability though MX Auto VPN Hub.

Rsharma_0-1639040602324.png

 

Route being recieved on spoke via auto VPN. 

Rsharma_1-1639040675108.png

 

no reachability from spoke LAN switch.

 

Rsharma_2-1639040707592.png

 

 

 

 

0 Kudos
Subscribe
7 Replies 7
rhbirkelund
Kind of a big deal
‎Dec 9 2021 1:21 AM
‎Dec 9 2021 1:21 AM

Is the Fortigate IPSec tunnel is terminated on the same MX that is working as Hub in AutoVPN? If so, Meraki unfortunately does not support routing between Third-Party VPN and AutoVPN.

It you need to route between Spokes sites on Meraki AutoVPN and the Non-Meraki VPN, you'll need an extra MX.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Subscribe
In response to rhbirkelund
Rsharma
Comes here often
‎Dec 9 2021 1:46 AM
‎Dec 9 2021 1:46 AM

@rhbirkelund remote tunnels are terminated on the fortiGate. MX only has auto VPN tunnels and routes to reach remote subnets pointed towards fortiGate. 

0 Kudos
Subscribe
ww
Kind of a big deal
Kind of a big deal
‎Dec 9 2021 1:26 AM
‎Dec 9 2021 1:26 AM

Is the spoke lan switch/ip from a vlan (management vlan?) that is selected to be in the autovpn?

0 Kudos
Subscribe
In response to ww
Rsharma
Comes here often
‎Dec 9 2021 1:46 AM
‎Dec 9 2021 1:46 AM

@ww yes switch IP belongs to management subnet which is routed into autoVpn. 

0 Kudos
Subscribe
KarstenI
Kind of a big deal
Kind of a big deal
‎Dec 9 2021 2:23 AM
‎Dec 9 2021 2:23 AM

Can you draw a picture with some example networks?

And have you the NAT-Exemption enabled for the MX?

At least when the Fortigate is in front of the MX, all traffic flowing to the Fortinet would be NATed by default which can cause problems and make this really complex.

I would put the MX in concentrator mode or place them side by side instead of behind the other.

0 Kudos
Subscribe
In response to KarstenI
Rsharma
Comes here often
‎Dec 9 2021 2:38 AM
‎Dec 9 2021 2:38 AM

@KarstenI here it is. this network was handed over to me as it is 😞 . i am able to reach both 10.50.x.x and 10.60.x.x from LAN subnets of the hub. i am advertising these routes in auto VPN as well but spokes cannot reach DC subnets though.

scenario. MX.png

0 Kudos
Subscribe
ww
Kind of a big deal
Kind of a big deal
‎Dec 9 2021 3:20 AM
‎Dec 9 2021 3:20 AM

Are that subnets  green in the routing table on the spoke?

From the hub you can ping the switch ip of the spoke ?

There are no sitetosite vpn firewall blocking traffic?

 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.