I have a user who connects to 2 VPN networks at the same time. The first networks is on a SonicWall device, the second network is on a Meraki M68 device. In the past, the user has always been able to have both VPNs connected at the same time, but now when the user is connected to the Meraki network, the SonicWall network cannot connect or is disconnected when the Meraki VPN is enabled. The only change that has occurred is the SonicWall was recently upgraded from a TZ215 to a TZ470. Thinking that is the cause, I provided a workaround by installing a remote connection software called AnyDesk on the target computer inside the SonicWall network, but it's the same issue. Every time the Meraki VPN is enabled, even AnyDesk does not work. Has anyone ever encountered this issue before? If so, what was your solution?
Thanks in advance,
Ranel Laroco
As far as I know everything should be the same on Meraki's side. Even when I had to re-establish the site to site VPN between 2 offices with one of the offices running a SonicWall firewall. I duplicated the settings. Where would I check to verify the tunnel settings?
@Ranel_Laroco I thought there were two client VPNs, is one a site to site, or both?
Both. When the user is in the office (the one with the Sonicwall device), she is able to access the Meraki network over the site to site VPN. But when the user is working from home she accesses both offices through the client VPN. There was never an issue with this configuration in the past 3 years until now. It's possible I may have missed something when I was replicating the settings for the site to site VPN, but I'm not sure where.
Does she connect to both client VPNs at once, or to one (if so is it the Meraki or Sonicwall) and then over the site to site VPN to the other site? And is the problem only from home?
You might find this post useful - it tells you how to enable split tunnelling on Meraki client VPN:
Yes, she connects to both sites at the same time from home. When she's in the office, she only utilizes the site-to-site VPN. So, yes the problem only occurs when she is only at home.
You were lucky that you could run two client VPNs at the same time. It's surprising that ever worked at all.
Try using my client VPN wizard, and create a client VPN connection that only tunnels the subnets behind the MX that the user needs to access.
It has been working for quite a while before one site was upgraded from a SonicWall TZ215 to a TZ470 just recently.
You should read their comments.
You need to make sure your VPN towards the Meraki MX is split tunnel with only the local subnets added as routes.
If you are doing full tunnel then you will try to form the VPN tunnel from her home via the MX to the Sonicwall.
This can give all kinds of grief.
There are usually no issues connecting multiple VPN's if they only route to the relevant destination networks.
Please do a route print on the pc when it is connected to the MX and see if the default route is not pointed towards the Client VPN interface.
Not sure exactly what I'm looking for, but here is the route print results:
Microsoft Windows [Version 10.0.19042.1165]
(c) Microsoft Corporation. All rights reserved.
C:\WINDOWS\system32>route print
===========================================================================
Interface List
6...34 e6 d7 22 a2 d4 ......Intel(R) Ethernet Connection I217-LM
19...d8 fc 93 28 d7 6a ......Microsoft Wi-Fi Direct Virtual Adapter
5...da fc 93 28 d7 69 ......Microsoft Wi-Fi Direct Virtual Adapter #2
49...........................Walschon VPN
20...d8 fc 93 28 d7 69 ......Intel(R) Dual Band Wireless-AC 7260
7...d8 fc 93 28 d7 6d ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.27 4275
0.0.0.0 0.0.0.0 On-link 192.168.80.198 36
96.90.231.5 255.255.255.255 192.168.43.1 192.168.43.27 4276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4556
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4556
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
192.168.43.0 255.255.255.0 On-link 192.168.43.27 4531
192.168.43.27 255.255.255.255 On-link 192.168.43.27 4531
192.168.43.255 255.255.255.255 On-link 192.168.43.27 4531
192.168.80.198 255.255.255.255 On-link 192.168.80.198 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4556
224.0.0.0 240.0.0.0 On-link 192.168.43.27 4531
224.0.0.0 240.0.0.0 On-link 192.168.80.198 36
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
255.255.255.255 255.255.255.255 On-link 192.168.43.27 4531
255.255.255.255 255.255.255.255 On-link 192.168.80.198 291
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
20 66 ::/0 fe80::8c45:ff:fec6:be97
1 331 ::1/128 On-link
20 66 2607:fb90:822c:6d4a::/64 On-link
20 306 2607:fb90:822c:6d4a:59e5:f8b4:b831:9fc8/128
On-link
20 306 2607:fb90:822c:6d4a:e192:67e7:329e:b4ae/128
On-link
20 306 fe80::/64 On-link
20 306 fe80::59e5:f8b4:b831:9fc8/128
On-link
1 331 ff00::/8 On-link
20 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
If I understood well your network design is like on picture:
By my experience you can have two different VPN clients (I have Cisco Anyconnect and Watchguard, or AnyConnect and PulseSecure). It works. But every connection profile has split tunneling enabled on VPN server, LANs on server's side are different subnets, VPN ip pools are different and neither VPN servers push the same subnets as on the other Site. It should work.
Yes, this is exactly the network design that is currently in place. 2 offices connected by site to site VPN. And, the user connects to both of them at the same time from home. Different LAN subnets at each location.
Hi @Ranel_Laroco ,
could you confirm that both VPN clients work correctly in the situation when is only one active?
Next what I'd be do is to when connect use one or other VPN client, take of routes which a VPN server provides to VPN client (I mean which networks will be protected with VPN tunnel).
example Cisco AnyConnect
Per picture only networks:
192.168.1.0/24, 192.168.10.0/24,192.168.100.0/24, 192.168.200.0/24, 192.168.1.4/32 are protected
I just use two VPN clients: Cisco AnyConnect and PulseSecure at the same time