cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to Site VPN

Highlighted
Conversationalist

Site to Site VPN

I have recently setup a site to site VPN for to facilities. I set both site as a mesh hub. The problem that I can not seem to figure out is site A is able to ping site B computers, but site B can not ping site A computers. I can ping either MX64 from both sites, but not the computers connected to them. I am using two MX64 security appliances. 

10 REPLIES 10
Highlighted
A model citizen

Re: Site to Site VPN

What do your Site-to-site VPN firewall rules look like?

Highlighted
Conversationalist

Re: Site to Site VPN

I left it as the default rule to try to get it to work before I implemented any rules. So outbound and inbound are set to Allow Any Any Any etc...

 

Highlighted
A model citizen

Re: Site to Site VPN

You could try some pcaps at the LAN on both sides, the VPN interface on the MX(s) etc. That should help you identify where is failing.

 

Have you considered that the client in site A is just not responding to ping requests? Maybe even try to ping a computer from site A from the site A MX?

Highlighted
Kind of a big deal

Re: Site to Site VPN

Is it just a Windows Firewall thing?

Highlighted
Kind of a big deal

Re: Site to Site VPN

I'm with @jdsilva - I bet it is Windows firewall.

Highlighted
Meraki Employee

Re: Site to Site VPN

I'm thinking the same.  When you're on the Security Appliance > Monitor > Status page click on the Tools tab and run a ping command from each MX to the LAN interface IP of the other MX, start there, then move on to pinging the actual hosts, first locally from each MX on its own local VLAN to a directly connected host, and then over the VPN.

Highlighted
Conversationalist

Re: Site to Site VPN

I ran a couple ping using the MX Ping command. From site B MX I am able to ping any device in the local network and i am also able to ping any device in site A network from site B MX. From sire A MX I am able to ping any device in the local network, but i am only able to ping network devices (Switches, Access Point) from site B. I have disable windows firewall and the same thing is happening.

Highlighted
Conversationalist

Re: Site to Site VPN

I just ran the ping again with the firewall disable and it went through. With the windows firewall disable the ping works from any device to any devices. Now i just need to know what to allow throw the firewall for it to work all the time with the firewall enable.
Highlighted
Meraki Employee

Re: Site to Site VPN

Sounds like you've found the root cause, now just need the workaround, might be some other 3rd party firewall as opposed to the windows firewall itself?  If not, and it's the windows firewall, it tends to block ICMP traffic by default.  You'll likely need to allow inbound ICMP/echo requests, the replies will likely go out naturally, but you'll need to allow the inbound pings.

Highlighted
Getting noticed

Re: Site to Site VPN

Is your AV the same at both Sites and managed the same way? We use Symantec which blocks ICMP packets by default. But each site was managed separately. One was adjusted to allow ICMP one wasn't. Not sure what your deployments look like but it seems like something is not uniform.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.