Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to Site Vpn Strange Issue

fender84
Comes here often
‎Oct 15 2020 2:50 PM
‎Oct 15 2020 2:50 PM

Site to Site Vpn Strange Issue

Hello,

 

I am very new with meraki devices. Also I am not network guy. I just bought 2 mx68w.  They will be located in different cities.

 

All of the clients from City A should be able to ping to City B.

 

City A subnet is like that: 143.161.0.0/24   - MX IP is: 143.161.0.1

 

City B subnet is like that: 143.161.5.0/24  - MX IP is: 143.161.5.1

 



 The problem is, devices connected to meraki cloud, they can ping eachother but users are not able to ping from city a to city B.

 

This is my fourth sleepless night but i still couldnt fix the issue. Could you please support us in this case?

 

Thank you in advance. 

 

 

0 Kudos
Subscribe
9 Replies 9
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 15 2020 3:01 PM
‎Oct 15 2020 3:01 PM

Hi @fender84 

 

Worth a watch:

 

https://m.youtube.com/watch?v=xgsPFuye-Ec

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
Subscribe
Bruce
Kind of a big deal
‎Oct 15 2020 3:02 PM
‎Oct 15 2020 3:02 PM

When you setup your Site-to-Site AutoVPN (Security & SD-WAN -> Configure -> Site-to-Site VPN) you need to ensure that the local network for each location is set to 'VPN on' under VPN Participation. This effectively allows each MX to tell the other about its local networks.

0 Kudos
Subscribe
In response to Bruce
fender84
Comes here often
‎Oct 15 2020 3:15 PM
‎Oct 15 2020 3:15 PM

Thank you @Bruce  and @DarrenOC .

"VPN ON" is already set buy I couldnt solve the issue. I added some screenshots below for your reference. 

LOCATION A: KAVAK

fender84_0-1602799916812.png



fender84_1-1602799941656.png



LOCATION B: ORTA

fender84_2-1602799980487.pngfender84_3-1602800013488.png



If there is an another thing to check, please let me know. 

 

0 Kudos
Subscribe
In response to fender84
Bruce
Kind of a big deal
‎Oct 15 2020 3:26 PM
‎Oct 15 2020 3:26 PM

The configuration looks about right, you should check to see if the VPN is being formed - Security & SD-WAN -> Monitor -> VPN Status. If there is no VPN forming then there is probably something beyond the MX 'blocking' it. And as @GreenMan says, it may also be worth putting a call in to support. 

0 Kudos
Subscribe
GreenMan
Meraki Employee
Meraki Employee
‎Oct 15 2020 3:15 PM
‎Oct 15 2020 3:15 PM

Don't forget - assuming you have paid licensing then you have 365-day per year, 24 x 7 access to Meraki Support, who will help you troubleshoot.  Look at Help > Get help, top right of Dashboard, for the various communications options

Subscribe
GreenMan
Meraki Employee
Meraki Employee
‎Oct 15 2020 3:36 PM
‎Oct 15 2020 3:36 PM

It looks like you're using Public IP addressing inside your private network - which is pretty unusual.   How does this compare to the IP addressing your MXs are using on their WAN/Internet links?

Subscribe
In response to GreenMan
fender84
Comes here often
‎Oct 16 2020 2:31 AM
‎Oct 16 2020 2:31 AM

Hi @GreenMan 

There are some PLC and computers on two different sites. These are renewable energy power plant sites.
Their local IPs are like that:

Location A: 143.161.0.XX    

Location B: 143.161.5.XX 

They said that we can't change the IP addresses of that devices. So that's why I set up vlan like that.

VPN STATUS PAGES:

vpn status.JPG


---

orta vpn.JPG
---

kavak vpn.JPG

Everything seems good on that pages but clients are not able to reach to internet for that reason it is not possible to ping between clients from different sites. It is only possible to ping between mx appliances

 
0 Kudos
Subscribe
In response to fender84
fender84
Comes here often
‎Oct 18 2020 11:59 PM
‎Oct 18 2020 11:59 PM

Hi again,
 
I solved the issue. The problem was checkpoint firewall settings. Now vpn tunnel is working good.
 
But I want to get info about some topics that is stuck in my mind and this is important.

Question 1) There are a lot of devices(more then 20) on site A  and site B and they are connected to their own switch.

Is it possible to make a site to site vpn for whole devices? Site manager said that they can only give me one cable from their own switch. So i will plug it to meraki mx.

Question 2)
Location A: 143.161.0.1/24    
Location B: 143.161.5.1/24   
 
Is working good. But,

Location A: 143.161.0.1/16   
Location B: 143.161.5.1/16   

Did not work. Even meraki dashboard didn't accept this IP set. I wonder what is the explanation of this? Is it not possible to make a vpn between /16 sites?

Thank you in advance.
0 Kudos
Subscribe
In response to fender84
Bruce
Kind of a big deal
‎Oct 19 2020 1:30 AM
‎Oct 19 2020 1:30 AM

Good job on solving the Checkpoint issue.

 

The reason you couldn’t use the /16 is because if you do then the subnets for both locations end up being 143.161.0.0, and you can’t have that if you want to send traffic between them. (Each octet in an IP address is 8 bits, so a /24 means the first three octets define the subnet, whereas a /16 means only the first two octets define the subnet).

 

If you’re using a /24 at each site, you have 254 available IP addresses per site, so if you’ve only got 20 devices (even 50) that’s more than enough. The VPN can work for all the devices on the network, but that depends on the routing being setup correctly, and the network segmented properly.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.