Meraki

StarZen · ‎Sep 6 2023

We have a main location with an MX84 and 3 satellites with MX64s

We also have a VPN link to Azure using the non meraki peer

And then we use client vpn connections for laptops on the road

the issue i am having is with the routing to Azure. it works find on the main network and one of the satellites

on the other 2 satellites and on the client vpn i cant get a connection to the azure ip addresses

Main Network MX84

can ping the azure IPs from the MX UI

no problems on the network or connecting to azure

Satellite 1 MX64 uses DHCP in MX

that one works just fine. No issues at all. can connect to main network and also to azure

interestingly i cant ping azure IPs from the MX UI

Satellite 2 MX64
no DHCP used in MX (to be perfectly correct it is , has netgear orbi connected that is the gateway and dhcp for the network here.

cant ping the azure IPs from the MX UI

unable to communicate with ips on azure but no issues with talking to ips on main network

Client VPN

when connecting via client vpn i am able to communicate with main network (rdp, etc) but no communication to azure IPs

any help would be greatly appreciated.

Mike

alemabrahao · ‎Sep 6 2023

Strange to work on one of the sites, in theory it is not possible to route a non-Meraki VPN on the SD-WAN, that is, it would be necessary to establish an Azure VPN tunnel with each MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

alemabrahao · ‎Sep 6 2023

Non-Meraki VPN Peers (Other IPsec)

Non-Meraki VPN peers are configured on the Security & SD-WAN > Configure > Site-to-site VPN page of Dashboard. These VPN peers are connected to using IPsec. If an MX is configured to establish a VPN with a non-Meraki VPN peer, the MX will also have routes to the private subnets defined for that VPN peer. If a full tunnel is required, both peers must configure a private subnet of 0.0.0.0/0 as its private subnet for the IPsec SAs to be created successfully.

MX cannot route between two Non-Meraki VPN peers.

MX that builds tunnels to both Auto VPN and Non-Meraki VPN peers, will not route traffic between the non-Meraki VPN peers and other Auto VPN peers.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

StarZen · ‎Sep 6 2023

so yes we have site to site between main office, office 1, office 2 and office 3, a non meraki peer defined as a vpn connection to azure.

the connection to azure is working from our main office and also from office#2. it is however not working from office3 and office4 and i am not sure why one would work and not the other

and then of course there is the client vpn on the main office

alemabrahao · ‎Sep 6 2023

Have you checked that there are no firewall rules in Azure?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth · ‎Sep 6 2023

This is quite a complex setup. You could spend a lot of time on this and may never get it resolved.

Personally, I would buy a VMX-S.

https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx-small/

This will be tremendously simpler, and you can get it working.

Meraki

Community

Routing Question

Routing Question

Non-Meraki VPN Peers (Other IPsec)