Site-To-Site VPN Missing Servers

Solved
AGworking
Just browsing

Site-To-Site VPN Missing Servers

We have a new site-to-site vpn between two Meraki MX64 routers in different cities with auto nat transversal and both networks on hub mode for the site to site vpn. The Meraki vpn firewalls are set at default "Allow" on all fields for both sites. The Meraki dashboard shows all is well with both sites connection-wise. The vpn allows file share connections and pinging by ip address to desktop shares (dns isn't working, but that's not essential) from one site to another, but all servers and server shares at the main site are inaccessible by ping or any other means. We've turned off server firewalls at the primary site and every other thing we can think of, but they remain invisible to the other site. Any ideas?
1 Accepted Solution
timeshimanshu
Getting noticed

Hi,

 

I believe the server gateway is misconfigured. though you are on the same subnet thus it doesn't required any gateway to communicate within the same VLAN and on the other network it required a gateway which tells it the path to reach on other network.

Try to check your server gateway either the gateway is not there or it is misconfigured.

 

check your desktop gateway and configure the same on server end it should work. if you have firewall disabled at server end

View solution in original post

11 Replies 11
Raj66
Meraki Employee
Meraki Employee

@AGworkingCan you packet capture on both the MXs while the ping is going on and see where the traffic is dropping. I would take packet captures on both LAN and VPN interfaces on both the firewalls and check for the corresponding traffic in there. This will give you visibility as to where the traffic is missing and we can troubleshoot accordingly.

 

Cheers!

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
AjitKumar
Head in the Cloud

Hi,

Are your servers on the same subnet / vlan as desktops?

Are your servers pingable in LAN at Main Site?

 

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
AGworking
Just browsing

The servers and desktops are on the same vlan and subnet at the main site. The servers-from the main site where they are located-are pingable and all file shares are reachable at the main site. The servers at the main site are on a different subnet and vlan than those desktops at the remote site.
AjitKumar
Head in the Cloud

Hi,

This is what I understand

 

I have Main site "A" with a subnet say (192.168.1.0/24). All Servers and Desktops belong to same subnet.

I have Branch site "B" with a subnet say (192.168.2.0/24). All Desktops belong to same same subnet.

 

Site "B" can Ping all the Desktops except servers.

If this is True... Ideally issue seems to be on site "A"

 

1. Firewall on the Server (Which are disabled as suggested)

2. ARP Table (Could you please verify under Security & SD WAN -> Tools -> ARP Table). Not Sure though as your LAN can ping.

 

 

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
AGworking
Just browsing

Hi Ajit, Yes, your description is correct. It's something with the severs at the main site (Site A). Arp table for main site (site A) shows all servers.
Raj66
Meraki Employee
Meraki Employee

Thanks to @AjitKumar for the Analogy. using the same, can you ping the servers at site A from a desktop in a different VLAN in the same site? Did you verify if the servers have a correct default gateway configured with correct subnet information? Also, Can you ping the desktops at site B from the servers at site A? If you do a traceroute, where is it getting dropped?

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
PhilipDAth
Kind of a big deal
Kind of a big deal

Any software firewalls in play?

 

Try disabling Windows Firewall.

Try disabling any antivirus firewall.

AGworking
Just browsing

All disabled.
BlakeRichardson
Kind of a big deal
Kind of a big deal

Assuming this is a windows server -  Is your network profile set to domain and not public?

 

 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
timeshimanshu
Getting noticed

Hi,

 

I believe the server gateway is misconfigured. though you are on the same subnet thus it doesn't required any gateway to communicate within the same VLAN and on the other network it required a gateway which tells it the path to reach on other network.

Try to check your server gateway either the gateway is not there or it is misconfigured.

 

check your desktop gateway and configure the same on server end it should work. if you have firewall disabled at server end

AGworking
Just browsing

You were right about the server gateway. All the servers had static ip info set long ago on to the original router and internet connection (we have two). The Meraki is on a second internet connection, but I totally forgot about changing the server default gateway to point to the new Meraki router. Once I did that, everything (except dns and I think I've got how to fix that) worked. Thanks a bunch to everybody for knocking the cobwebs loose so I could get this working finally.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels