Packet Captures : Misleading

mel-astrosat
Here to help

Packet Captures : Misleading

I have a non-meraki peer site to site set up consisting of a MX64 at our office and a AWS instance containing StrongSwan software.

The site to site works perfectly but people connecting into the office via client VPN cannot see resources on the distant end of the site to site VPN.

 

I have been using packet captures to diagnose the  and came across a strange situation. When I run constant ICMP Ping from within the office to a device at the distant end of the S2S VPN I see packet captures on the LAN but nothing when monitoring on site to site VPN. I know the pings are passing through because echo returns are being relayed back.

 

Why am I not seeing the packets when they must be there as the pings are 100% successful and the only path open is the site to site VPN.

2 REPLIES 2
MacuserJim
A model citizen

First, have you tried a traceroute to see the hops that are being taken? This will help verify they are in fact taking the route you are expecting.

 

Second, Is your MX set up in NAT mode? If it is then a pcap on the LAN will show the source IP as the client, but a pcap capturing the same packets on the VPN interface will show the public IP of the MX.

Hi Jim. I received word back from Meraki support. It transpires that pcaps on site to site VPN are only possible with Meraki Peer to Peer VPNs. They are not possible on non-Meraki peers.

 

Thanks for your help, it is appreciated.

 

Cheers.

 

Mel

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels