Meraki

Community

Non Meraki VPN tunnel up but I can't ping the DNS server

Nabil1
Here to help
‎May 28 2024 1:50 PM
‎May 28 2024 1:50 PM

Non Meraki VPN tunnel up but I can't ping the DNS server

Hi Everyone,

I have established a site to site vpn between MX 68CW and AWS. the tunnel is up on AWS and Meraki Dashboard. The problem is that I can't ping my DNS server which is on AWS. It looks like something is missing . The routing is enabled on AWS and Meraki . I suspect something to add on security group but I am not sure.

My local Lan is 10.200.45.0/24 and the vpc is CIDR is 172.31.0.0/16. Could you help me please , I am kind new .

Nabil1_0-1716929339030.png

 

Nabil1_1-1716929384624.png

 

Labels:
0 Kudos
18 Replies 18
alemabrahao
Kind of a big deal
‎May 28 2024 1:54 PM
‎May 28 2024 1:54 PM

Make sure you don't have any ACLs in Azure that are blocking ICMP (this is most likely).

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
‎May 28 2024 1:54 PM
‎May 28 2024 1:54 PM

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Nabil1
Here to help
‎May 28 2024 1:59 PM
‎May 28 2024 1:59 PM

I've already checked that , nothing blocked my ICMP packets

0 Kudos
In response to Nabil1
alemabrahao
Kind of a big deal
‎May 28 2024 2:04 PM
‎May 28 2024 2:04 PM

How about routes? 

Have you tried disabling your server's local firewall?

Otherwise, open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to Nabil1
alemabrahao
Kind of a big deal
‎May 28 2024 2:30 PM
‎May 28 2024 2:30 PM

By the way check this.

 

https://ritcsec.wordpress.com/2018/08/12/a-visual-guide-to-setting-up-a-meraki-to-aws-site-to-site-v...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Nabil1
Here to help
‎May 29 2024 6:58 AM
‎May 29 2024 6:58 AM

Hello, 

I did use this link to setup my site to site vpn. the tunnel is up but still the ping is unseccessfull.

0 Kudos
In response to alemabrahao
Nabil1
Here to help
‎May 29 2024 7:24 AM
‎May 29 2024 7:24 AM

I have checked the ACL everything looks fine.

0 Kudos
In response to Nabil1
alemabrahao
Kind of a big deal
‎May 29 2024 7:40 AM
‎May 29 2024 7:40 AM

Don't forget that you can restrict both ACLs and the security group. If you don't have an ACL, review the security group, otherwise open a support case as suggested previously.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
‎May 29 2024 7:43 AM
‎May 29 2024 7:43 AM

More specifically on inbound rules.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Nabil1
Here to help
‎May 29 2024 8:31 AM
‎May 29 2024 8:31 AM

Ok so it's better to open support case with AWS because I do not think it's meraki issue ?

0 Kudos
In response to Nabil1
alemabrahao
Kind of a big deal
‎May 29 2024 9:04 AM
‎May 29 2024 9:04 AM

Yes

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Shubh3738
Building a reputation
‎May 28 2024 9:22 PM
‎May 28 2024 9:22 PM

You have to check with Cisco TAC and Your AWS support Person jointly.

 

Surely, his issue with AWS side.

0 Kudos
In response to Shubh3738
Shubh3738
Building a reputation
‎May 28 2024 10:04 PM
‎May 28 2024 10:04 PM

And Which Firmware version are you using in MX Meraki ?

0 Kudos
In response to Shubh3738
Nabil1
Here to help
‎May 29 2024 6:56 AM
‎May 29 2024 6:56 AM

Hi, Current version: MX 18.107.2

0 Kudos
IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎May 28 2024 11:27 PM
‎May 28 2024 11:27 PM

Hi Nabil,

Have a look at this tshoot guide from Meraki and AWS . There has been some known road blocks with IKEv1 with "one unique security association per Tunnel". 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Pee...

 

 

https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html

 

 

Cheers,
Ivan Jukić


Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 29 2024 3:26 AM
‎May 29 2024 3:26 AM

The #1 issue I run into when investigating these is - Windows Firewall.  Try disabling it temporarily.

0 Kudos
In response to PhilipDAth
Nabil1
Here to help
‎May 29 2024 7:15 AM
‎May 29 2024 7:15 AM

It's disabled

0 Kudos
jfigueroa
Here to help
‎Jun 4 2024 9:47 AM
‎Jun 4 2024 9:47 AM

Hello, Nabil

Did you enable the LAN under Addressing & Vlans? Also check if under DHCP to what your DNS nameservers are set to and what IP's were assigned for Customs nameservers.

Thanks.

 

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.