Set up hub & spoke with existing local LAN IP; cannot access lan after connecting with AnyConnect

Solved
from_afar
Building a reputation

Set up hub & spoke with existing local LAN IP; cannot access lan after connecting with AnyConnect

Hi all,

 

Sorry for what is surely a lame/newbie post, but I got Meraki SD-Wan via AT&T and after 2 months I just got things installed but cannot seem to get them to help me finish the setup. I'm desperate here as I have to go live with this on Monday and I am close but can't get the last bit of the way there. I have an mx95 at HQ with existing LAN IP 192.168.11.0/24. At our other office they installed a MX68. I managed to get the two connected via Hub and Spoke with HQ being hub, and second location the spoke. I can also connect to HQ via AnyConnect. I think the issue might be that our HQ has an existing ip and I can't just change everything to DHCP (Planning on passing DHCP requests to the domain controller which handles DHCP now) and I'm not configuring something right.

 

I have set the HQ MX95 with these settings:

 

Note: all ipv6 is disabled/not configured

 

Addressing and VLANs

Mode: Routed

Client tracking: MAC address

Routing

Lan Setting: Single LAN

LAN Config

Single LAN Settings | Version 4 | VLAN Interface IP 192.168.11.1/23 | Uplink Any | VPN Mode Disabled

No static routes

 

DHCP Server: Run DHCP Server (running for now just to test, again plan to offload DHCP to windows server once things are working)

 

Firewall: default/empty No port forwarding, no 1:1 NAT, no 1:many NAT, no Bonjour, IP source address spoofing protection: Block

 

Site-to-site VPN

Main subnet            VPN mode disabled         subnet 192.168.10.0/23           Uplink any

AnyConnect VPN.   VPN mode enabled          subnet 192.168.12.1/24           Uplink <blank>

NAT traversal: automatic

No custom site-to-site outbound firewall rules

 

Routing: BGP not available, OSPF disabled

 

Client VPN

IPsec disabled

AnyConnect Settings enabled

Authentication is Meraki Cloud for now just to make things easier. As mentioned, I can connect to the VPN fine it seems. When connected I can ping the Merkai local IP 192.168.11.1 fine, but can't ping any of the other couple of devices plugged into the MX95 for testing (note: when plugged directly into the MX95 itself with laptop, I can access those devices fine).

AnyConnect VPN subnet 192.168.12.1/24

Client Routing: Send all client traffic through VPN

Dynamic Client Routing: Disable Dynamic Split tunneling

Session timeout: None

Default Group Policy: No Group Policy

 

SD-WAN & Traffic Shaping

Primary Uplink WAN1

Load Balancing: disabled

Active-Active AutoVPN: Enabled

Flow preferences: any any any any WAN1 (I need this for various reasons)

SD-Wan policies: Prefer WAN1. Fail over if uplink down

Traffic shaping rules: none

 

I think those are all of the relevant settings. It feels like it might be that the VPN client is getting a 192.168.12.x address and the devices behind the MX95 are 192.168.11.x but maybe Meraki does some magic to handle the translation? I set the main subnet to 192.168.10.0/23 since it would cover the 192.168.11.x addresses and give me some more address space since we're running low on the 192.168.11.0/24 subnet, but I may be doing that wrong as well?

 

I did run a packet capture while the VPN was connected and I tried accessing the webpage of one of the devices connected to the MX95 (it is a NAS device with web config page). I can see the attempts to contact the NAS with a SYN and then a ton of retransmissions and never any ACK or other replies so something is blocking the connection obviously. 

 

Any ideas on where I can look or what I can try would be much appreciated. I tried searching for "Meraki SD-Wan existing lan IP" but that and other attempts mostly just surfaced issues with WAN IPs. 

 

Here is roughly what the setup looks like:

 

lan.png

 

HQ has a bunch of devices running on the 192.168.11.x subnet and I'm testing the MX95 using that IP so once I get things working I can just switch over from our current firewall. 

 

I suppose a simpler way of asking the question is: if I have an existing network 192.168.11.0/24, how would I set up the hub and spoke and AnyConnect IPs so that the AnyConnect and Spoke machines can reach the devices on the 192.168.11.x subnet? I have 2 test devices plugged into the MX95, a NAS and HTTP server. I can reach both if I'm plugged directly into the MX95. I can ping them from the Meraki dashboard. However, I can not access them when I'm connected via AnyConnect. Not via web, ping, ssh, or anything else. 

 

Thanks. 

 

1 Accepted Solution
from_afar
Building a reputation

As it turns out, I had the devices set with a different default gateway than the LAN ip the MX was using. Changing the default gateway (or the LAN IP) fixed the issue. Thanks to @Ryan_Miles for the help!

View solution in original post

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal

If you could give an example with a simple typology it would be easier to understand. Lots of information but nothing really explanatory.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
from_afar
Building a reputation

Sorry about that. It's really simple, just 2 locations, HQ and branch. SD-Wan seems to be up, but since I can't connect to other devices on HQ Lan via AnyConnect, I suspect the SD-Wan users won't be able to either. Unfortunately, the branch is a several hours drive away--I was down there to set things up with ATT tech but couldn't get the next tier of support to help me finish the setup hence me trying myself. 

 

This is roughly what it looks like:

lan.png

 

I'm trying to connect to the NAS or http device in HQ from Anyconnect. At the office, plugged directly into the MX95, I can get to them fine. I cannot, however, via AnyConnect. But as mentioned, with AnyConnect connected, I can ping the MX95 and get to its config page in the browser, so that part seems to work OK. I cannot get to the NAS config pages, mount the files/folders, nor get to the http server. Pinging those devices also fails.

 

Thanks for the reply. 

Ryan_Miles
Meraki Employee
Meraki Employee

Not sure if your diagram and original post have typos or if you're just giving example IPs. Your HQ site is subnet 192.168.111.1/23. But you're mentioning a 192.168.11.x subnet?

 

Your VPN client gets an IP on subnet 192.168.112.0/24. 

 

If you do actually have a 192.168.11.x subnet at HQ it's not on the MX and would exist on some other router device we're not aware of. And the MX would need a route to that device (and that device a route back to the MX).

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
from_afar
Building a reputation

Yes, sorry, typo in the image--fixed now. Dealing with 192.168.11.x and 192.168.12.x. I don't see the 112.0/24 though?

from_afar
Building a reputation


@Ryan_Miles wrote:

Not sure if your diagram and original post have typos or if you're just giving example IPs. Your HQ site is subnet 192.168.111.1/23. But you're mentioning a 192.168.11.x subnet?

 

Your VPN client gets an IP on subnet 192.168.112.0/24. 

 

If you do actually have a 192.168.11.x subnet at HQ it's not on the MX and would exist on some other router device we're not aware of. And the MX would need a route to that device (and that device a route back to the MX).


My existing network has that address space so I'm testing things now using that address so I can plug the MX95 into the existing infrastructure and have things work. Is there a better way to do things? I already have Windows DHCP and a ton of stuff using that address space so changing things over would be a nightmare...If I used some other IP address, would I have to create routes to all of the existing devices on the network?

I also noticed that from the Meraki dashboard I can ping the NAS and http server, so it seems like a routing issue. 

Ryan_Miles
Meraki Employee
Meraki Employee

On the hub your network 192.168.110.0/23 is set for VPN mode disabled. Given it's the hub I'm assuming you need to reach resources in that network over VPN and should have it set to enabled so the spoke can reach it.

 

But as @alemabrahao mentioned it's not entirely clear to me what the actual issue is you're trying to resolve or troubleshoot.

 

Oh and your spoke has AnyConnect VPN enabled with a client subnet of 192.168.111.1/24. But your hub LAN is 192.168.111.1/23 which overlaps.

 

There would be no translation occurring in this config. This is all layer 3 routing (over VPN).

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
from_afar
Building a reputation

Thanks for the reply. I understand it is a lot of info and I did a bad job explaining. I didn't see a way to attach an image when creating the post, but added one to the above reply showing the layout. I don't think I gave the settings for the spoke network, just HQ and AnyConnect since that's what I'm trying to troubleshoot at the moment (assuming if AnyConnect works, hopefully the spoke will too).

from_afar
Building a reputation

Also, I did try setting VPN to enabled but get the same result unfortunately. 

 

I suppose a simpler way of asking the question is: if I have an existing network 192.168.11.0/24, how would I set up the hub and spoke and AnyConnect IPs so that the AnyConnect and Spoke machines can reach the devices on the 192.168.11.x subnet?

from_afar
Building a reputation

As it turns out, I had the devices set with a different default gateway than the LAN ip the MX was using. Changing the default gateway (or the LAN IP) fixed the issue. Thanks to @Ryan_Miles for the help!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels