Site to Site VPN

JJhow
Conversationalist

Site to Site VPN

I have recently setup a site to site VPN for to facilities. I set both site as a mesh hub. The problem that I can not seem to figure out is site A is able to ping site B computers, but site B can not ping site A computers. I can ping either MX64 from both sites, but not the computers connected to them. I am using two MX64 security appliances. 

10 Replies 10
MacuserJim
A model citizen

What do your Site-to-site VPN firewall rules look like?

JJhow
Conversationalist

I left it as the default rule to try to get it to work before I implemented any rules. So outbound and inbound are set to Allow Any Any Any etc...

 

You could try some pcaps at the LAN on both sides, the VPN interface on the MX(s) etc. That should help you identify where is failing.

 

Have you considered that the client in site A is just not responding to ping requests? Maybe even try to ping a computer from site A from the site A MX?

jdsilva
Kind of a big deal

Is it just a Windows Firewall thing?

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm with @jdsilva - I bet it is Windows firewall.

I'm thinking the same.  When you're on the Security Appliance > Monitor > Status page click on the Tools tab and run a ping command from each MX to the LAN interface IP of the other MX, start there, then move on to pinging the actual hosts, first locally from each MX on its own local VLAN to a directly connected host, and then over the VPN.

JJhow
Conversationalist

I ran a couple ping using the MX Ping command. From site B MX I am able to ping any device in the local network and i am also able to ping any device in site A network from site B MX. From sire A MX I am able to ping any device in the local network, but i am only able to ping network devices (Switches, Access Point) from site B. I have disable windows firewall and the same thing is happening.

JJhow
Conversationalist

I just ran the ping again with the firewall disable and it went through. With the windows firewall disable the ping works from any device to any devices. Now i just need to know what to allow throw the firewall for it to work all the time with the firewall enable.

Sounds like you've found the root cause, now just need the workaround, might be some other 3rd party firewall as opposed to the windows firewall itself?  If not, and it's the windows firewall, it tends to block ICMP traffic by default.  You'll likely need to allow inbound ICMP/echo requests, the replies will likely go out naturally, but you'll need to allow the inbound pings.

TimBisel
Getting noticed

Is your AV the same at both Sites and managed the same way? We use Symantec which blocks ICMP packets by default. But each site was managed separately. One was adjusted to allow ICMP one wasn't. Not sure what your deployments look like but it seems like something is not uniform.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels