cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to Site Vpn Strange Issue

fender84
Comes here often

Site to Site Vpn Strange Issue

Hello,

 

I am very new with meraki devices. Also I am not network guy. I just bought 2 mx68w.  They will be located in different cities.

 

All of the clients from City A should be able to ping to City B.

 

City A subnet is like that: 143.161.0.0/24   - MX IP is: 143.161.0.1

 

City B subnet is like that: 143.161.5.0/24  - MX IP is: 143.161.5.1

 



 The problem is, devices connected to meraki cloud, they can ping eachother but users are not able to ping from city a to city B.

 

This is my fourth sleepless night but i still couldnt fix the issue. Could you please support us in this case?

 

Thank you in advance. 

 

 

9 REPLIES 9
UCcert
Kind of a big deal

Re: Site to Site Vpn Strange Issue

Hi @fender84 

 

Worth a watch:

 

https://m.youtube.com/watch?v=xgsPFuye-Ec

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Bruce
Head in the Cloud

Re: Site to Site Vpn Strange Issue

When you setup your Site-to-Site AutoVPN (Security & SD-WAN -> Configure -> Site-to-Site VPN) you need to ensure that the local network for each location is set to 'VPN on' under VPN Participation. This effectively allows each MX to tell the other about its local networks.

fender84
Comes here often

Re: Site to Site Vpn Strange Issue

Thank you @Bruce  and @UCcert .

"VPN ON" is already set buy I couldnt solve the issue. I added some screenshots below for your reference. 

LOCATION A: KAVAK


fender84_0-1602799916812.png



fender84_1-1602799941656.png



LOCATION B: ORTA

fender84_2-1602799980487.pngfender84_3-1602800013488.png



If there is an another thing to check, please let me know. 

 

GreenMan
Meraki Employee

Re: Site to Site Vpn Strange Issue

Don't forget - assuming you have paid licensing then you have 365-day per year, 24 x 7 access to Meraki Support, who will help you troubleshoot.  Look at Help > Get help, top right of Dashboard, for the various communications options

Bruce
Head in the Cloud

Re: Site to Site Vpn Strange Issue

The configuration looks about right, you should check to see if the VPN is being formed - Security & SD-WAN -> Monitor -> VPN Status. If there is no VPN forming then there is probably something beyond the MX 'blocking' it. And as @GreenMan says, it may also be worth putting a call in to support. 

GreenMan
Meraki Employee

Re: Site to Site Vpn Strange Issue

It looks like you're using Public IP addressing inside your private network - which is pretty unusual.   How does this compare to the IP addressing your MXs are using on their WAN/Internet links?

fender84
Comes here often

Re: Site to Site Vpn Strange Issue

Hi @GreenMan 

There are some PLC and computers on two different sites. These are renewable energy power plant sites.
Their local IPs are like that:

Location A: 143.161.0.XX    

Location B: 143.161.5.XX 

They said that we can't change the IP addresses of that devices. So that's why I set up vlan like that.

VPN STATUS PAGES:

vpn status.JPG


---

orta vpn.JPG
---

kavak vpn.JPG

Everything seems good on that pages but clients are not able to reach to internet for that reason it is not possible to ping between clients from different sites. It is only possible to ping between mx appliances

 
fender84
Comes here often

Re: Site to Site Vpn Strange Issue

Hi again,
 
I solved the issue. The problem was checkpoint firewall settings. Now vpn tunnel is working good.
 
But I want to get info about some topics that is stuck in my mind and this is important.

Question 1) There are a lot of devices(more then 20) on site A  and site B and they are connected to their own switch.

Is it possible to make a site to site vpn for whole devices? Site manager said that they can only give me one cable from their own switch. So i will plug it to meraki mx.

Question 2)
Location A: 143.161.0.1/24    
Location B: 143.161.5.1/24   
 
Is working good. But,

Location A: 143.161.0.1/16   
Location B: 143.161.5.1/16   

Did not work. Even meraki dashboard didn't accept this IP set. I wonder what is the explanation of this? Is it not possible to make a vpn between /16 sites?

Thank you in advance.
Bruce
Head in the Cloud

Re: Site to Site Vpn Strange Issue

Good job on solving the Checkpoint issue.

 

The reason you couldn’t use the /16 is because if you do then the subnets for both locations end up being 143.161.0.0, and you can’t have that if you want to send traffic between them. (Each octet in an IP address is 8 bits, so a /24 means the first three octets define the subnet, whereas a /16 means only the first two octets define the subnet).

 

If you’re using a /24 at each site, you have 254 available IP addresses per site, so if you’ve only got 20 devices (even 50) that’s more than enough. The VPN can work for all the devices on the network, but that depends on the routing being setup correctly, and the network segmented properly.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.