Need help with static route to external router

scarfman4
Comes here often

Need help with static route to external router

Hello I'm new here.  We have an MX100 router and five MS120 switches at our hospital with multiple VLANs (all 192.168.x.x ranges).  We are trying to connect an external Cisco router from our EMR vendor and use a static route to send all traffic to and from their company over that static route.

 

We have the router plugged into one of the front ports (not the WAN port) of the MX100.  We assigned a separate VLAN under "Security & SD-WAN > Addressing & VLANs" with the subnet range 172.16.173.144/29 with a MX IP of 172.16.173.150.  We assigned the uplink port to that VLAN. 

 

Whenever we try to switch to the router and set a Static Route (also in the Addressing & VLANs screen) with its gateway being either a load balancer or the IP of the router itself (172.16.173.146), it seems to work and we can ping IPs on the other side of their network.  They can also confirm they can ping us.  But our Active Directory trust fails between the two, and we try to load their applications through their Citrix environment and they stall and fail and act like they can't find the servers (which ping fine).

 

What makes no sense is we temporarily have a site-to-site Non-Meraki VPN with them on the same MX100 and all works fine with that, including the Active Directory trusts  But once we delete that VPN and try the static route they fail.

 

I'm not even sure if we are even setting this up right to begin with.  What is the best way to set up a 3rd party router and make sure it can fully communicate both ways?  

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

I'm going to guess you have asymmetric routing, and one of the firewalls (probably the remote one) is blocking some of the traffic (because it is asymmetric).

For example, you might be routing traffic over their router, and they are returning it over the VPN.

 

Start by disabling the VPN on both ends.  If you are not sure it is disabled on both ends - delete it to make sure.

 

Routing to the third party router on the inside of the MX is fine.

 

If you don't make progress, take a packet capture on your end.  Verify you can see the traffic being routed to the third party router, and that you can see the return traffic.

We couldn't even create the static route without deleting the VPN from the Meraki.  It would come up with a message in red saying it had two different sources pointing to the same subnet (the subnet their servers are on).  So we had no choice but to delete it.

 

I'm not sure if it was deleted on their end though.  They told me they had redirected all their traffic to the new router.

 

We have been doing packet captures left & right.  Ping traffic shows responses but when we try to load the Citrix website we aren't getting responses back.

 

I'm trying to determine if the router is even connected into our system correctly?  We just put the port as an "Access" port on its own VLAN.  Should it have been considered a trunk port and do we need to pass through all of the VLANs needed to communicate?

 

I'm hoping someone out there who has done this kind of setup with the MX series knows how to build this from scratch to compare it to.

>We have been doing packet captures left & right.  Ping traffic shows responses but when we try to load the Citrix website we aren't getting responses back.

 

If you aren't getting the traffic back, then they are not sending it ...

cmr
Kind of a big deal
Kind of a big deal

@scarfman4 you have the port set up correctly by the sound of it.  I'd agree with @PhilipDAth that it sounds like the other end isn't sending all of the replies back properly.  They might need to adjust the routing table air firewall at their end.

 

If you can ping all of the IP addresses that you need to connect to, but cannot get traffic to flow then it is most likely the firewall settings.

scarfman4
Comes here often

According to the company, we are using a VRF from our MX100 to their hosting firewall.  The didn't remove the original tunnel but they changed all the routes so they don't use the old tunnel. 

 

It seems more like the anti-spoofing might be blocking something.  They are confirming they attempt to send traffic back to us, but nothing is crossing back except for pings.

 

We are planning on doing another attempt sometime soon and having Meraki tech support on the phone the entire time.  I'm not optimist though as the last time they were on the line they kept blaming it on the company's end.

 

I'm also at the point where if they can't resolve it on that call then I'm moving the MX100 to a VPN passthrough and putting our SonicWall back as our main firewall.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels