Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Sanity check for AutoVPN Hub and Spoke with Default route, and disabled network.

Solved
thomasthomsen
Head in the Cloud
‎Jun 27 2023 7:04 AM
‎Jun 27 2023 7:04 AM

Sanity check for AutoVPN Hub and Spoke with Default route, and disabled network.

I have setup quite a few AutoVPN networks normally split tunnel with Adv. Sec on MX's.

 

But in this case the customer wants to run Full tunnel (only enterprise license) for networks (and that's fine) but they want ONE network to just have local internet breakout (no security , or as much as the Enterprise lic can give them, and of course no access through AutoVPN).

 

This should be pretty simple, just set that network to disable on the Site-to-Site page right ? ... right ?

 

The problem is that when i take this network out of AutoVPN (set that specific network to disabled) and try to ping from the MX (source "the internet only VLAN") I see these packets on the central HUB MX (in a packet capture).

I have NO idea why, this should not happen right ? 

Or is this because I use the MX status page to test out connectivity (some random issue no-one was aware of).

 

Just wondering.

Or have I missed something ?

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings

Documentation seems to agree with "how I think this should work".

 

Thanks
Thomas

 

0 Kudos
Subscribe
1 Accepted Solution
In response to thomasthomsen
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jun 27 2023 7:48 AM
‎Jun 27 2023 7:48 AM

Yes, clients on that VLAN should work and would NAT out fine. If they're not then something else is wrong in the config or topology. 

View solution in original post

Subscribe
6 Replies 6
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jun 27 2023 7:39 AM
‎Jun 27 2023 7:39 AM

If I'm understanding your scenario and test of pinging from a MX VLAN interface to the internet that's not supported as the traffic is not natted as noted here.

 

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_the_Ping_Liv...

 

For example this is from my MX

 

Screenshot 2023-06-27 at 7.36.46 AM.png

Subscribe
In response to Ryan_Miles
ww
Kind of a big deal
Kind of a big deal
‎Jun 27 2023 7:44 AM
‎Jun 27 2023 7:44 AM

But It should not be seen on the vpn hub. 

Afaik it leaves  the wan interface with the vlan ip, but does not get response because  there is no route back on the router behind the mx nat interface.

Subscribe
In response to ww
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jun 27 2023 7:46 AM
‎Jun 27 2023 7:46 AM

We don't know what other routing is in play here. My point is regardless that ping test isn't valid.

 

There'd still be a 0.0.0.0 default route to the hub even though the VLAN isn't VPN enabled. And because the MX VLAN interface doesn't NAT it's hitting that hub default route.

0 Kudos
Subscribe
In response to Ryan_Miles
thomasthomsen
Head in the Cloud
‎Jun 27 2023 7:46 AM
‎Jun 27 2023 7:46 AM

Lol .. I must never have tried to ping from a source vlan towards the internet on an MX .. how strange.

But , just to check my sanity.

This should work (internet access) for a client that connects to that VLAN right ?

And me seeing the ICMP packets on the HUB from this VPN disabled source VLAN is what ... a fluke ... ? 

0 Kudos
Subscribe
In response to thomasthomsen
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jun 27 2023 7:48 AM
‎Jun 27 2023 7:48 AM

Yes, clients on that VLAN should work and would NAT out fine. If they're not then something else is wrong in the config or topology. 

Subscribe
In response to Ryan_Miles
thomasthomsen
Head in the Cloud
‎Jun 27 2023 7:49 AM
‎Jun 27 2023 7:49 AM

Thanks (Im working remote and cannot "double check" with an actual client).

But I accept this as fact 🙂

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.