I already setup my vpn client in mx60 but cannot connect from window 10 machine. I made sure how to configure for window 10 vpn client ( I took reference from meraki document and how can i access my vpn server from client.
why i cannot ping my meraki hostname (DDNS name) .....? which ports should i open on meraki firewall?
Best regards.
johnie
Why i cannot ping my meraki hostname from outside network?
Hello @Johnie To be able to test this using ping, perhaps temporarily, go to Security & SD-WAN > Configure > Firewall and in the "Security Appliance Services" section type in "Any" in the ICMP Ping box, save, and re-test. Not sure if that was what you were after, sorry if I misunderstood. There is also support documentation regarding Error 789 here: https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN
Hope that helps!
I also did like that but cannot ping my ddns hostname from outside network.
Is your mx60 behind a internet provider nat router?
Yeah
And did you forward all related ports and icmp protocol in the provider router?
Is there anything else upstream, perhaps an ISP modem/router/gateway that might be blocking the ping? I can in general do an nslookup on the dynamic-m DNS names of my MX appliances and see the correct IP returned that matches the public IP address of the MX, and I can ping both that IP and the DNS name. Perhaps something else upstream is blocking the ICMP packets.
You can run an ICMP packet capture on the outside interface of the MX, go to Network Wide > Packet Capture to set that up, select the MX appliance, select the "Internet" interface, and in the filter expression box, type "icmp" and click start. See if the pings (from outside your network) are even coming into the MX's outside interface in the first place, and let's go from there. If they are not, something is blocking ping from coming into the MX from the ISP side, and if the pings are coming in, and you also see the MX responding, then something is blocking the responses.
Aside from pings, is the rest normal, do you have a site-to-site VPN up and operational? And if so, you can ping one MX LAN interface from the other MX LAN interface?
I can do nslookup but I cannot ping it’s dons address and it address. My appliance is behind ISP’s NAT.
> My appliance is behind ISP’s NAT
You'll need to NAT udp/500 and UDP/4500 on the ISP router through to your MX appliance.
I will try it now
Thanks