Hi all,
Sorry for what is surely a lame/newbie post, but I got Meraki SD-Wan via AT&T and after 2 months I just got things installed but cannot seem to get them to help me finish the setup. I'm desperate here as I have to go live with this on Monday and I am close but can't get the last bit of the way there. I have an mx95 at HQ with existing LAN IP 192.168.11.0/24. At our other office they installed a MX68. I managed to get the two connected via Hub and Spoke with HQ being hub, and second location the spoke. I can also connect to HQ via AnyConnect. I think the issue might be that our HQ has an existing ip and I can't just change everything to DHCP (Planning on passing DHCP requests to the domain controller which handles DHCP now) and I'm not configuring something right.
I have set the HQ MX95 with these settings:
Note: all ipv6 is disabled/not configured
Addressing and VLANs
Mode: Routed
Client tracking: MAC address
Routing
Lan Setting: Single LAN
LAN Config
Single LAN Settings | Version 4 | VLAN Interface IP 192.168.11.1/23 | Uplink Any | VPN Mode Disabled
No static routes
DHCP Server: Run DHCP Server (running for now just to test, again plan to offload DHCP to windows server once things are working)
Firewall: default/empty No port forwarding, no 1:1 NAT, no 1:many NAT, no Bonjour, IP source address spoofing protection: Block
Site-to-site VPN
Main subnet VPN mode disabled subnet 192.168.10.0/23 Uplink any
AnyConnect VPN. VPN mode enabled subnet 192.168.12.1/24 Uplink <blank>
NAT traversal: automatic
No custom site-to-site outbound firewall rules
Routing: BGP not available, OSPF disabled
Client VPN
IPsec disabled
AnyConnect Settings enabled
Authentication is Meraki Cloud for now just to make things easier. As mentioned, I can connect to the VPN fine it seems. When connected I can ping the Merkai local IP 192.168.11.1 fine, but can't ping any of the other couple of devices plugged into the MX95 for testing (note: when plugged directly into the MX95 itself with laptop, I can access those devices fine).
AnyConnect VPN subnet 192.168.12.1/24
Client Routing: Send all client traffic through VPN
Dynamic Client Routing: Disable Dynamic Split tunneling
Session timeout: None
Default Group Policy: No Group Policy
SD-WAN & Traffic Shaping
Primary Uplink WAN1
Load Balancing: disabled
Active-Active AutoVPN: Enabled
Flow preferences: any any any any WAN1 (I need this for various reasons)
SD-Wan policies: Prefer WAN1. Fail over if uplink down
Traffic shaping rules: none
I think those are all of the relevant settings. It feels like it might be that the VPN client is getting a 192.168.12.x address and the devices behind the MX95 are 192.168.11.x but maybe Meraki does some magic to handle the translation? I set the main subnet to 192.168.10.0/23 since it would cover the 192.168.11.x addresses and give me some more address space since we're running low on the 192.168.11.0/24 subnet, but I may be doing that wrong as well?
I did run a packet capture while the VPN was connected and I tried accessing the webpage of one of the devices connected to the MX95 (it is a NAS device with web config page). I can see the attempts to contact the NAS with a SYN and then a ton of retransmissions and never any ACK or other replies so something is blocking the connection obviously.
Any ideas on where I can look or what I can try would be much appreciated. I tried searching for "Meraki SD-Wan existing lan IP" but that and other attempts mostly just surfaced issues with WAN IPs.
Here is roughly what the setup looks like:
HQ has a bunch of devices running on the 192.168.11.x subnet and I'm testing the MX95 using that IP so once I get things working I can just switch over from our current firewall.
I suppose a simpler way of asking the question is: if I have an existing network 192.168.11.0/24, how would I set up the hub and spoke and AnyConnect IPs so that the AnyConnect and Spoke machines can reach the devices on the 192.168.11.x subnet? I have 2 test devices plugged into the MX95, a NAS and HTTP server. I can reach both if I'm plugged directly into the MX95. I can ping them from the Meraki dashboard. However, I can not access them when I'm connected via AnyConnect. Not via web, ping, ssh, or anything else.
Thanks.
Sorry about that. It's really simple, just 2 locations, HQ and branch. SD-Wan seems to be up, but since I can't connect to other devices on HQ Lan via AnyConnect, I suspect the SD-Wan users won't be able to either. Unfortunately, the branch is a several hours drive away--I was down there to set things up with ATT tech but couldn't get the next tier of support to help me finish the setup hence me trying myself.
This is roughly what it looks like:
I'm trying to connect to the NAS or http device in HQ from Anyconnect. At the office, plugged directly into the MX95, I can get to them fine. I cannot, however, via AnyConnect. But as mentioned, with AnyConnect connected, I can ping the MX95 and get to its config page in the browser, so that part seems to work OK. I cannot get to the NAS config pages, mount the files/folders, nor get to the http server. Pinging those devices also fails.
Thanks for the reply.
