Meraki

Community

Site to Site VPN

rickibiza
New here
14 hours ago
14 hours ago

Site to Site VPN

Hello,

I'm setting up a site to site vpn between two networks under the same organization.

The site A has the 2 MX WANs directly connected to the 2 router meanwhile the site B has the WAN port connected to a load balancer and the load balancer is connected to the 4 routers we have.

I have this error on the site B "This WAN appliance is behind a VPN-unfriendly NAT, which can be caused by upstream load balancers or strict firewall rules." 

The network configuration in the site B is : I open the ports  I need for my services on the 4 routers, the load balancer has a port forwarding for ALL  the ports (1-65535)to the MX. 

I reckon there is something that the auto vpn site to site doesn't like.  Someone could help me please?

 

Thanks a lot!

Labels:
0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
14 hours ago
14 hours ago

Take a look at this discussion.

 

https://community.meraki.com/t5/Security-SD-WAN/NAT-Unfriendly/m-p/48968

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
rickibiza
New here
13 hours ago
13 hours ago

I'm not sure if I get it right: if I choose one ip public I can just use one of my routers. If it fails the VPN will be down. There is no failover with this method.

 

Thanks

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
11 hours ago
11 hours ago

Basically you need to tell the VPN registry what public IP and port will be always pointing towards your MX for this to work.  This means the MX is not able to contact the registry itself with the IP and port combinations.

In the end you need to have one UDP port configured that always goes to the MX.

GIdenJoe_0-1738759830635.png

 

In response to GIdenJoe
rickibiza
New here
11 hours ago
11 hours ago

ok thank you! 

In this case I don't have any redundancy in case of problem on that public ip (router issues) and that's might be a big problem. 

0 Kudos
In response to rickibiza
GIdenJoe
Kind of a big deal
Kind of a big deal
9 hours ago
9 hours ago

Indeed, if you can't share that same IP between multiple routers then your upstream redundancy is non existent.

It is better to have two upstream circuits tied to both WAN ports since you can then actually use your SD-WAN features between the sites.  Now you're stuck with a single WAN on the second site which is then load balanced upstream.

Alternatively if you would have a public subnet behind those 4 routers and have them use an FHRP like HSRP/VRRP/GLBP. You could have redundancy and no autoVPN issues.

0 Kudos
In response to GIdenJoe
rickibiza
New here
8 hours ago
8 hours ago

Yeah, that's a shame. 

Losing the redundancy the vpn is not 100%reliable.

Thanks a lot, I'll find another solution, maybe skipping the load balancer.

0 Kudos
GreenMan
Meraki Employee
Meraki Employee
7 hours ago
7 hours ago

My question would be;   what's the driver behind wanting four links?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.