Port forwarding not working on MX67

svenus1977
Just browsing

Port forwarding not working on MX67

My WAN 1 is down so using WAN 2 to test but that should not affect outcome. 

 

Have configured port forwarding on matching both links, LAN server confirmed is active.

Done a packet capture on both sides, it appears that MX has dropped the SYN/ACK from the server and therefore 3-way handshake not completed.

 

Removed all firewall rules (actually the rules are not blocking anyway), still the same.  Any idea why MX is dropping the SYN/ACK only for port forwarding traffic?  

 

Other outbound traffic is fine. 

5 Replies 5
svenus1977
Just browsing

Found the fix myself. That VLAN if I enable AutoVPN, the port forwarding fails. 

Port forwarding works once I turn off AutoVPN.  Not exactly sure how the two interacts but I may perhaps configure another VLAN for the AutoVPN.

alemabrahao
Kind of a big deal
Kind of a big deal

It does not make sense. Have you opened a support case?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
svenus1977
Just browsing

No, it doesn't look right to me neither. I'll try to see the best option I have now, given that I am using a workaround for production traffic, falling back to the non-working config for troubleshooting is a bit challenging. 

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you doing a full tunnel for AutoVPN?  That would break it.

svenus1977
Just browsing

I'm doing split tunnel, that's why I haven't thought of turning it off until I run out of options and give it a try.  By the way, I have multiple VLANs, I just need to turn off AutoVPN for that particular VLAN that needs port forwarding to map to.  I can still keep the other required VLAN participating AutoVPN.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels