Site to Site Vpn Strange Issue

fender84
Comes here often

Site to Site Vpn Strange Issue

Hello,

 

I am very new with meraki devices. Also I am not network guy. I just bought 2 mx68w.  They will be located in different cities.

 

All of the clients from City A should be able to ping to City B.

 

City A subnet is like that: 143.161.0.0/24   - MX IP is: 143.161.0.1

 

City B subnet is like that: 143.161.5.0/24  - MX IP is: 143.161.5.1

 



 The problem is, devices connected to meraki cloud, they can ping eachother but users are not able to ping from city a to city B.

 

This is my fourth sleepless night but i still couldnt fix the issue. Could you please support us in this case?

 

Thank you in advance. 

 

 

9 Replies 9
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @fender84 

 

Worth a watch:

 

https://m.youtube.com/watch?v=xgsPFuye-Ec

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Bruce
Kind of a big deal

When you setup your Site-to-Site AutoVPN (Security & SD-WAN -> Configure -> Site-to-Site VPN) you need to ensure that the local network for each location is set to 'VPN on' under VPN Participation. This effectively allows each MX to tell the other about its local networks.

fender84
Comes here often

Thank you @Bruce  and @DarrenOC .

"VPN ON" is already set buy I couldnt solve the issue. I added some screenshots below for your reference. 

LOCATION A: KAVAK


fender84_0-1602799916812.png



fender84_1-1602799941656.png



LOCATION B: ORTA

fender84_2-1602799980487.pngfender84_3-1602800013488.png



If there is an another thing to check, please let me know. 

 

Bruce
Kind of a big deal

The configuration looks about right, you should check to see if the VPN is being formed - Security & SD-WAN -> Monitor -> VPN Status. If there is no VPN forming then there is probably something beyond the MX 'blocking' it. And as @GreenMan says, it may also be worth putting a call in to support. 

GreenMan
Meraki Employee
Meraki Employee

Don't forget - assuming you have paid licensing then you have 365-day per year, 24 x 7 access to Meraki Support, who will help you troubleshoot.  Look at Help > Get help, top right of Dashboard, for the various communications options

GreenMan
Meraki Employee
Meraki Employee

It looks like you're using Public IP addressing inside your private network - which is pretty unusual.   How does this compare to the IP addressing your MXs are using on their WAN/Internet links?

fender84
Comes here often

Hi @GreenMan 

There are some PLC and computers on two different sites. These are renewable energy power plant sites.
Their local IPs are like that:

Location A: 143.161.0.XX    

Location B: 143.161.5.XX 

They said that we can't change the IP addresses of that devices. So that's why I set up vlan like that.

VPN STATUS PAGES:

vpn status.JPG


---

orta vpn.JPG
---

kavak vpn.JPG

Everything seems good on that pages but clients are not able to reach to internet for that reason it is not possible to ping between clients from different sites. It is only possible to ping between mx appliances

 
fender84
Comes here often

Hi again,
 
I solved the issue. The problem was checkpoint firewall settings. Now vpn tunnel is working good.
 
But I want to get info about some topics that is stuck in my mind and this is important.

Question 1) There are a lot of devices(more then 20) on site A  and site B and they are connected to their own switch.

Is it possible to make a site to site vpn for whole devices? Site manager said that they can only give me one cable from their own switch. So i will plug it to meraki mx.

Question 2)
Location A: 143.161.0.1/24    
Location B: 143.161.5.1/24   
 
Is working good. But,

Location A: 143.161.0.1/16   
Location B: 143.161.5.1/16   

Did not work. Even meraki dashboard didn't accept this IP set. I wonder what is the explanation of this? Is it not possible to make a vpn between /16 sites?

Thank you in advance.
Bruce
Kind of a big deal

Good job on solving the Checkpoint issue.

 

The reason you couldn’t use the /16 is because if you do then the subnets for both locations end up being 143.161.0.0, and you can’t have that if you want to send traffic between them. (Each octet in an IP address is 8 bits, so a /24 means the first three octets define the subnet, whereas a /16 means only the first two octets define the subnet).

 

If you’re using a /24 at each site, you have 254 available IP addresses per site, so if you’ve only got 20 devices (even 50) that’s more than enough. The VPN can work for all the devices on the network, but that depends on the routing being setup correctly, and the network segmented properly.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels