No traffic when connectd Client VPN in MX65 in Passthrough mode

SOLVED
Caledonia
Just browsing

No traffic when connectd Client VPN in MX65 in Passthrough mode

All

 

I have spent a few hours to test this function but failed to pass the traffic when MX65 is in L2 mode

 

Set up

 

MX65 is connected to the ISP router which provides NAT

 

VPN is established successfully each time. 

 

No traffic when MX65 is in Passthrough or VPN Concentrator mode

 

it works fine when MX65 is in Routed mode.

 

No other changes. It is confirmed that just the mode is cause of it.

 

Do I miss any setup to get it work in Passthrough or VPN Concentrator mode?

 

I am testing the devices. 

 

ISP router has public IP at WAN end.

ISP router has private IP at LAN end - 192.168.1.1/24

MX65 has static IP at uplink port -192.168.1.3/24 , Gateway 192.168.1.1

 

All devices are working fine behind MX65 for internet. 

 

Only devices connected to VPN doesn't work. 

 

Test device is IOS 

 

Port forwading is setup correctly as IOS can establish 

 

The remote device can be seen in client list as online client VPN

 

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

When the MX is in passthrough mode you have to add a route on the default gateway (the ISP router in this case) for the client VPN subnet to go via the MX IP address.

View solution in original post

4 REPLIES 4
ChrisKemsley
Meraki Alumni (Retired)
Meraki Alumni (Retired)

What subnet are you handing out for the VPN client devices and do you have a route for that subnet pointed back to your passthrough MX?

Been trying to figure this one out for some time, I added the static routes but Never thought I needed to forward the traffic back to the MX and not just my L3 Switch.

I created a route for the subnet I had setup in Client VPN, and pointed that right back to the MX.

ping 8.8.8.8 Finally.

The VPN was working for local resources but that was about all.

Thank you for your Suggestion this helped me.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

When the MX is in passthrough mode you have to add a route on the default gateway (the ISP router in this case) for the client VPN subnet to go via the MX IP address.

@ChrisKemsley, @PhilipDAth There is no route configured on ISP to point back the VPN subnet. I was not aware of this requirement. I thought the VPN subnet was NATted behind the MX's IP address so the ISP GW won't see actual VPN subnets. I will test to add a static route on ISP and report back. Thank you for the advise.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels