Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Routing Question

StarZen
Here to help
‎Sep 6 2023 10:54 AM
‎Sep 6 2023 10:54 AM

Routing Question

We have a main location with an MX84 and 3 satellites with MX64s

 

We also have a VPN link to Azure using the non meraki peer

 

And then we use client vpn connections for laptops on the road

 

the issue i am having is with the routing to Azure. it works find on the main network and one of the satellites

 

on the other 2 satellites and on the client vpn i cant get a connection to the azure ip addresses

 

Main Network MX84

can ping the azure IPs from the MX UI

no problems on the network or connecting to azure

 

Satellite 1 MX64 uses DHCP in MX

that one works just fine. No issues at all. can connect to main network and also to azure

interestingly i cant ping azure IPs from the MX UI

 

Satellite 2 MX64
no DHCP used in MX (to be perfectly correct it is , has netgear orbi connected that is the gateway and dhcp for the network here. 

cant ping the azure IPs from the MX UI

unable to communicate with ips on azure but no issues with talking to ips on main network

 

Client VPN

when connecting via client vpn i am able to communicate with main network (rdp, etc) but no communication to azure IPs

 

any help would be greatly appreciated.

 

Mike

 

 

0 Kudos
Subscribe
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 6 2023 11:03 AM
‎Sep 6 2023 11:03 AM

Strange to work on one of the sites, in theory it is not possible to route a non-Meraki VPN on the SD-WAN, that is, it would be necessary to establish an Azure VPN tunnel with each MX.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 6 2023 11:27 AM
‎Sep 6 2023 11:27 AM

Non-Meraki VPN Peers (Other IPsec)

Non-Meraki VPN peers are configured on the Security & SD-WAN > Configure > Site-to-site VPN page of Dashboard. These VPN peers are connected to using IPsec. If an MX is configured to establish a VPN with a non-Meraki VPN peer, the MX will also have routes to the private subnets defined for that VPN peer. If a full tunnel is required, both peers must configure a private subnet of 0.0.0.0/0 as its private subnet for the IPsec SAs to be created successfully.

 MX cannot route between two Non-Meraki VPN peers.

 

 

 

MX that builds tunnels to both Auto VPN and Non-Meraki VPN peers, will not route traffic between the non-Meraki VPN peers and other Auto VPN peers.

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
StarZen
Here to help
‎Sep 6 2023 12:01 PM
‎Sep 6 2023 12:01 PM

so yes we have site to site between main office, office 1, office 2 and office 3, a non meraki peer defined as a vpn connection to azure.

the connection to azure is working from our main office and also from office#2. it is however not working from office3 and office4 and i am not sure why one would work and not the other

and then of course there is the client vpn on the main office

0 Kudos
Subscribe
In response to StarZen
alemabrahao
Kind of a big deal
Kind of a big deal
‎Sep 6 2023 12:12 PM
‎Sep 6 2023 12:12 PM

Have you checked that there are no firewall rules in Azure?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 6 2023 1:33 PM
‎Sep 6 2023 1:33 PM

This is quite a complex setup.  You could spend a lot of time on this and may never get it resolved.

 

Personally, I would buy a VMX-S.

https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx-small/ 

This will be tremendously simpler, and you can get it working.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.