Meraki

Community

Site to Site VPN - Clients not communicating

roesljas
Getting noticed
‎Nov 30 2020 11:58 PM
‎Nov 30 2020 11:58 PM

Site to Site VPN - Clients not communicating

Hi,

 

We have just received a new set of Meraki hardware to be deployed across two sites. Both network are freshly created and each is just a single native VLAN with no L3 or L7 walls. Both sites are to be connected by a Meraki site-to-site VPN.

 

SITE/NETWORK A - Factory (192.168.128.0/24 - MX IP 192.168.128.1)

1 x MX84

 

SITE/NETWORK B - Packing (192.168.15.0/24 - MX IP 192.168.15.1)

1 x MX68

1 x MR33

 

We are work shopping this setup now with both sites connected to the internet behind separate NAT firewalls, SITE B is behind a USB 4G cel model and SITE A is behind a DSL modem. With site-to-site enabled on both networks we get a successful VPN registry and NAT friendly traversal - happy days. However for some reason PCs connected to either MX can't communicate with ones on the other MX. Both MX's can ping each others internal LAN IP addresses using the Appliance status > Tools page > ping pool, and this stops working if I "un-export" either subnet on either MX which leads me to think data is passing. Both MX's can't pint clients on the other's network except for the MX84 at SITE A which can ping the MR33 at SITE B. 

 

At this point I don't really see what else to try, as mentioned earlier both networks are freshly created with next to no changes apart from the S2S VPN settings.

 

Could it be that both MX's are behind NAT and this is causing issues on data passing however both MX's and networks report successful VPN connectivity.

 

I should also mention that I'm not onsite right now and am performing these configurations and tests remotely. I won't be onsite until later this week for deployment - at an industrial farm off the beaten track - so I'd like to see if anyone has seen this before. When we do go to site to install the MX84, it will no longer be behind a NAT, leaving only the MX67 to behind the USB 4G modem NAT.

 

Thanks in advance for any info.

 

Jason

 

0 Kudos
5 Replies 5
Bruce
Kind of a big deal
‎Dec 1 2020 12:37 AM
‎Dec 1 2020 12:37 AM

Your description sounds like the VPN tunnel is up, and that your ping tests between the Meraki devices show that traffic is passing. Is it possible there is a firewall (e.g. Windows firewall) or something on the client device you are trying to ping, which is dropping the packets?

In response to Bruce
roesljas
Getting noticed
‎Dec 1 2020 3:49 AM
‎Dec 1 2020 3:49 AM

Thanks for the reply.

 

We have switched off the firewalls on the windows PCs. It's very strange given that Meraki says it's all up and rocking. I do also note that the PCs can ping each other when on the same MX / Network.

 

Jason

0 Kudos
In response to roesljas
Bruce
Kind of a big deal
‎Dec 1 2020 11:46 AM
‎Dec 1 2020 11:46 AM

Are the subnet masks and gateways configured correctly to ensure that the PCs are attempting to forward traffic to the MX. As you state, it does seem a bit odd.

In response to Bruce
cmr
Kind of a big deal
Kind of a big deal
‎Dec 1 2020 1:53 PM
‎Dec 1 2020 1:53 PM

@roesljas can the mr33 ping the mx84? 

What is the IP address and subnet mask of the MR33?

What is the IP address and subnet mask of the PC on site B?

0 Kudos
In response to Bruce
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 1 2020 2:04 PM
‎Dec 1 2020 2:04 PM

Windows Firewall frequently blocks traffic from remote subnets.  Try disabling Windows Firewall.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.