Multiple VPN connection issues

Ranel_Laroco
Comes here often

Multiple VPN connection issues

I have a user who connects to 2 VPN networks at the same time. The first networks is on a SonicWall device, the second network is on a Meraki M68 device. In the past, the user has always been able to have both VPNs connected at the same time, but now when the user is connected to the Meraki network, the SonicWall network cannot connect or is disconnected when the Meraki VPN is enabled. The only change that has occurred is the SonicWall was recently upgraded from a TZ215 to a TZ470. Thinking that is the cause, I provided a workaround by installing a remote connection software called AnyDesk on the target computer inside the SonicWall network, but it's the same issue. Every time the Meraki VPN is enabled, even AnyDesk does not work. Has anyone ever encountered this issue before? If so, what was your solution?

 

Thanks in advance,

Ranel Laroco

14 Replies 14
cmr
Kind of a big deal
Kind of a big deal

@Ranel_Laroco has the Meraki VPN changed from split tunnel to full tunnel?

Ranel_Laroco
Comes here often

As far as I know everything should be the same on Meraki's side. Even when I had to re-establish the site to site VPN between 2 offices with one of the offices running a SonicWall firewall. I duplicated the settings. Where would I check to verify the tunnel settings?

cmr
Kind of a big deal
Kind of a big deal

@Ranel_Laroco I thought there were two client VPNs, is one a site to site, or both?

Ranel_Laroco
Comes here often

Both. When the user is in the office (the one with the Sonicwall device), she is able to access the Meraki network over the site to site VPN. But when the user is working from home she accesses both offices through the client VPN. There was never an issue with this configuration in the past 3 years until now. It's possible I may have missed something when I was replicating the settings for the site to site VPN, but I'm not sure where.

cmr
Kind of a big deal
Kind of a big deal

Does she connect to both client VPNs at once, or to one (if so is it the Meraki or Sonicwall) and then over the site to site VPN to the other site?  And is the problem only from home?

cmr
Kind of a big deal
Kind of a big deal

You might find this post useful - it tells you how to enable split tunnelling on Meraki client VPN:

 

Solved: Client VPN split tunneling? - The Meraki Community

Ranel_Laroco
Comes here often

Yes, she connects to both sites at the same time from home. When she's in the office, she only utilizes the site-to-site VPN. So, yes the problem only occurs when she is only at home.

PhilipDAth
Kind of a big deal
Kind of a big deal

You were lucky that you could run two client VPNs at the same time.  It's surprising that ever worked at all.

 

Try using my client VPN wizard, and create a client VPN connection that only tunnels the subnets behind the MX that the user needs to access.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

It has been working for quite a while before one site was upgraded from a SonicWall TZ215 to a TZ470 just recently.

You should read their comments.

You need to make sure your VPN towards the Meraki MX is split tunnel with only the local subnets added as routes.

 

If you are doing full tunnel then you will try to form the VPN tunnel from her home via the MX to the Sonicwall.

This can give all kinds of grief.

 

There are usually no issues connecting multiple VPN's if they only route to the relevant destination networks.

 

Please do a route print on the pc when it is connected to the MX and see if the default route is not pointed towards the Client VPN interface.

Not sure exactly what I'm looking for, but here is the route print results:

 

Microsoft Windows [Version 10.0.19042.1165]
(c) Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>route print
===========================================================================
Interface List
6...34 e6 d7 22 a2 d4 ......Intel(R) Ethernet Connection I217-LM
19...d8 fc 93 28 d7 6a ......Microsoft Wi-Fi Direct Virtual Adapter
5...da fc 93 28 d7 69 ......Microsoft Wi-Fi Direct Virtual Adapter #2
49...........................Walschon VPN
20...d8 fc 93 28 d7 69 ......Intel(R) Dual Band Wireless-AC 7260
7...d8 fc 93 28 d7 6d ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.27 4275
0.0.0.0 0.0.0.0 On-link 192.168.80.198 36
96.90.231.5 255.255.255.255 192.168.43.1 192.168.43.27 4276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4556
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4556
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
192.168.43.0 255.255.255.0 On-link 192.168.43.27 4531
192.168.43.27 255.255.255.255 On-link 192.168.43.27 4531
192.168.43.255 255.255.255.255 On-link 192.168.43.27 4531
192.168.80.198 255.255.255.255 On-link 192.168.80.198 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4556
224.0.0.0 240.0.0.0 On-link 192.168.43.27 4531
224.0.0.0 240.0.0.0 On-link 192.168.80.198 36
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
255.255.255.255 255.255.255.255 On-link 192.168.43.27 4531
255.255.255.255 255.255.255.255 On-link 192.168.80.198 291
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
20 66 ::/0 fe80::8c45:ff:fec6:be97
1 331 ::1/128 On-link
20 66 2607:fb90:822c:6d4a::/64 On-link
20 306 2607:fb90:822c:6d4a:59e5:f8b4:b831:9fc8/128
On-link
20 306 2607:fb90:822c:6d4a:e192:67e7:329e:b4ae/128
On-link
20 306 fe80::/64 On-link
20 306 fe80::59e5:f8b4:b831:9fc8/128
On-link
1 331 ff00::/8 On-link
20 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

mljevakovic
Here to help

If I understood well your network design is like on picture:

VPN clients.jpg

 

 

 

 

 

 

 

 

 

 

By my experience you can have two different VPN clients (I have Cisco Anyconnect and Watchguard, or AnyConnect and PulseSecure). It works. But every connection profile has split tunneling enabled on VPN server, LANs on server's side are different subnets, VPN ip pools are different and neither VPN servers push the same subnets as on the other Site. It should work.

Yes, this is exactly the network design that is currently in place. 2 offices connected by site to site VPN. And, the user connects to both of them at the same time from home. Different LAN subnets at each location.

Hi @Ranel_Laroco ,

could you confirm that both VPN clients work correctly in the situation when is only one active?

Next what I'd be do is to when connect use one or other VPN client, take of routes which a VPN server provides to VPN client (I mean which networks will be protected with VPN tunnel).

example Cisco AnyConnect

mljevakovic_0-1630390421033.png

Per picture only networks:

192.168.1.0/24, 192.168.10.0/24,192.168.100.0/24, 192.168.200.0/24, 192.168.1.4/32 are protected

I just use two VPN clients: Cisco AnyConnect and PulseSecure at the same time

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels