Non Meraki VPN peers cummunication.

Solved
KuJ
Comes here often

Non Meraki VPN peers cummunication.

FW 1 and FW2 need to communicate with FW3 via MX250 site-to-site tunnel.

 

Unable to pass remote subnet to next peer.

 

Please give any suggestions on this

 

KuJ_2-1708687072644.png

 

 

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

The non-Meraki VPN does not participate in Meraki SD-WAN, so it will not work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal

The non-Meraki VPN does not participate in Meraki SD-WAN, so it will not work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KuJ
Comes here often

any solution?

alemabrahao
Kind of a big deal
Kind of a big deal

Configure a direct VPN between them.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KuJ
Comes here often

Thanks for the suggestion. but it is not possible next peers,due to policy

alemabrahao
Kind of a big deal
Kind of a big deal

There is another option but you would need a third device.
 
In this case, it would be configuring a VPN with another device on the MX network side (such as a router, Linux, Mikrotik, etc.). Create a link between it and the MX or use an existing network, and create a route pointing this device as the next hop to the desired networks on the other side, so you can enable Auto VPN.
 
It's not the best solution but it works.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Something like this.

 

alemabrahao_0-1708693894896.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KuJ
Comes here often

I will try. But i looking permanent solution.

alemabrahao
Kind of a big deal
Kind of a big deal

The best solution would be to have an MX or at least a Z3 (depending on the size of the site) on each of the sites. So you can enjoy all the benefits of Meraki SD-WAN.
 
Other than that, this solution I mentioned would be the only one since communication needs to go through the MX.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee

Whilst agreeing with the recommendation for MX / Z devices everywhere (😉) I think the original ask was for all the tunnels to be non-Meraki VPN, in which case the limitation around not hairpinning AutoVPN with non-Meraki VPN doesn't apply.   I've not come across this particular ask before though - where there are no Meraki Spokes (as I understand it) - so am seeking some answers intrenally on whether this will / should work.   Did you raise a case with Meraki Support?   Did the Dashboard throw up errors, when you tried to configure it - or did it just not pass traffic?  Were you able to use packet captures to see where the traffic flow was breaking down?

alemabrahao
Kind of a big deal
Kind of a big deal

He is not receiving an error, he wants to communicate between two non-meraki peer networks through the MX, which is not possible.😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
KuJ
Comes here often

Yes. you are right. We plan to go with non-Meraki.

KuJ
Comes here often

Yes, bro. I have raised a case for this. As per Meraki team, not possible. I want to throw a non-meraki peer subnet to another peer. can't do source-based routing. there are limitations also basic nating is available.

GreenMan
Meraki Employee
Meraki Employee

Whilst agreeing with the recommendation for MX / Z devices everywhere (😉) I think the original ask was for all the tunnels to be non-Meraki VPN, in which case the limitation around not hairpinning AutoVPN with non-Meraki VPN doesn't apply.   I've not come across this particular ask before though - where there are no Meraki Spokes (as I understand it) - so am seeking some answers internally on whether this will / should work.   Did you raise a case with Meraki Support?   Did the Dashboard throw up errors, when you tried to configure it - or did it just not pass traffic?  Were you able to use packet captures to see where the traffic flow was breaking down?

jayas
New here

I am working on a similar problem  Phase 2 S2S tunnel not coming up - the debugs suggest ACL mismatch. One end Cisco IOS FWL other end MX8x . Remote MX ( managed by third party) has multiple MX and couple of non-Meraki VPN peers working fine . This tunnel is Policy based IPsec Tunnel  bound by ACL, apparently there is a limitation at the head end MX which cannot assign  a specific ACL to this IPsec tunnel - Also a route based VTI tunnel to MX is not an option either- so we are stuck in this state of phase 2 failing at Cisco end - I am not an MX expert  , but about to propose a similar solution to bypass this MX

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels