Meraki

Community

Replaced Z1 with Z3 Local Static Routes No Longer Work

TonySmith
Getting noticed
‎May 4 2024 7:33 AM
‎May 4 2024 7:33 AM

Replaced Z1 with Z3 Local Static Routes No Longer Work

Hi,

Attached to my home office network I have three subnets, call them 172.17.217.0/28 which is directly attached to the Z1 inside interface. Z1 is 172.17.217.1 and is the default gateway.

Secondary subnets 172.17.1.0/24 and 172.17.88.0/24 are reached via a separate device 172.17.217.2. So that device is on the local "inside" LAN alongside the Z1 and routes to 172.17.1.0/24 and 172.17.88.0/24 are configured on the Z1 under "Teleworker Gateway" / "Addressing and VLANs" / "Routing" / "Static Routes" with (obviously) 172.17.217.2 as "Next hop IP". Both routes are Enabled and active "Always".

All this worked correctly when configured.  However recently the Z1 failed and was replaced with a Z3, and now they do not work. Trace from a host on the inside LAN times out after 172.17.217.1 the default gateway.

Any ideas would be appreciated in case I've fat fingered something, before I raise a Meraki support case.

Thanks, Tony S

0 Kudos
10 Replies 10
cmr
Kind of a big deal
Kind of a big deal
‎May 4 2024 2:49 PM
‎May 4 2024 2:49 PM

Have you rebooted the other device in case it's ARP table still has the MAC address of the Z1?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
TonySmith
Getting noticed
‎May 5 2024 1:37 AM
‎May 5 2024 1:37 AM

Thanks, I don't think I have. It's been a couple of weeks so I wouldn't expect it to hang onto the old ARP entry that long.  It's not Meraki or even Cisco device and I don't know the ARP timeout. But checking just now it has no ARP entry for anything on 172.17.217.0

0 Kudos
In response to TonySmith
ww
Kind of a big deal
Kind of a big deal
‎May 5 2024 1:40 AM
‎May 5 2024 1:40 AM

Can you ping 172.17.217.2 from the mx interface 172.17.217.1

Or the other way around

0 Kudos
In response to ww
TonySmith
Getting noticed
‎May 5 2024 4:29 AM
‎May 5 2024 4:29 AM

Yes can ping either way. When the Z3 is switched on of course.

0 Kudos
In response to TonySmith
cmr
Kind of a big deal
Kind of a big deal
‎May 5 2024 1:51 AM
‎May 5 2024 1:51 AM

@TonySmith if there is no ARP entry for the Z3 then no traffic can flow.  Is the port definitely up and does the Z3 have an ARP entry for the other device?  Are both set to auto negotiate and have they negotiated the same speed and duplex?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
TonySmith
Getting noticed
‎May 5 2024 4:37 AM
‎May 5 2024 4:37 AM

Sorry I should have mentioned the Z3 is only powered on when I'm working, not all the time. I was just checking there wasn't a stale ARP entry stuck for 217.2.

Just looking at the dashboard I see .2 listed as a "client" with its 217.2 address, and some traffic was registered when the Z3 was online yesterday.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 5 2024 1:32 PM
‎May 5 2024 1:32 PM

Have you got any L3 firewall rules?

0 Kudos
In response to PhilipDAth
TonySmith
Getting noticed
‎May 6 2024 8:48 AM
‎May 6 2024 8:48 AM

No custom rules, only the default inbound "deny any any" and outbound "permit any any".

This begs a few questions ..

1. Do these rules work differently with a Z3 vs a Z1?

2. Do they apply to traffic between hosts on the LAN ports?

3. And if so, which direction is considered "inbound" and which "outbound"?

I should add that if I add the route into the PC then it works. So traffic between PC and 217.2 isn't being blocked by the Z3.

 

0 Kudos
VictorYang
Meraki Employee
Meraki Employee
‎May 6 2024 7:54 PM
‎May 6 2024 7:54 PM

1. Do these rules work differently with a Z3 vs a Z1?
    There is no difference. Z3 and Z1 would work the same 

2. Do they apply to traffic between hosts on the LAN ports?
    Only if you have firewall rules configured. As you check there is no additional firewall configured.  

I reckon you may take a packet capture via the dashboard Network-wide-->packet capture page. You may select the LAN interface and check the output if MX did forward the packet out while you testing the route. Or you may open a support case and call in for live troubleshooting

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
TonySmith
Getting noticed
‎May 8 2024 7:54 AM
‎May 8 2024 7:54 AM

Thanks. I had a brief chance to troubleshoot and actually the route to 172.17.88.0 works, I wouldn't swear I fully tested that before as I might have assumed that if one route worked then so would the other.

 

Doing a network wide packet capture for ping to 172.17.1.1 shows the packets being received but no answer.

 

But that's the same taking a capture for ping to 172.17.88.1 which does work, only the ping request is seen, I guess because the reply comes direct from the Mikrotik on 217.2 to my PC 217.10.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.