Meraki

Community

Site-to-site misconfiguration?

mdubs91
Comes here often
‎Oct 9 2024 6:24 AM
‎Oct 9 2024 6:24 AM

Site-to-site misconfiguration?

We have a site-to-site VPN set up between an MX in our main office and a vMX in the AWS cloud. All of our local networks have VPN mode Enabled. 

Whenever we make changes to the network on the MX even changes that are not directly related to the site-to-site this banner pops up and requires confirmation of the changes. Additionally, the network connectivity in our main office drops for about 15-30 seconds after the change is made. For instance, today I added client routing IP exemption to the AnyConnect VPN running on the main office MX and after confirming changes, the network dropped. 

 

Everything seems to be functioning as we expect it to i.e traffic is making it where in needs to go but I think this banner makes it pretty clear that something is not right -- and the network drops are obviously very bad. 

Does anyone have any thoughts on why this is happening and what we might need to do to fix it?

 

Thank you!

Screenshot 2024-10-09 090431.png

Labels:
0 Kudos
2 Replies 2
MartinLL
Building a reputation
‎Oct 9 2024 6:39 AM
‎Oct 9 2024 6:39 AM

Post your VPN tunnel config.

 

Also, consider moving from ipsec to AutoVPN. Much simpler, and considering that you already have a vMX in AWS this would be a costless improvement.

MLL
pmhaske
Meraki Employee
Meraki Employee
‎Oct 9 2024 2:09 PM
‎Oct 9 2024 2:09 PM

Hi @mdubs91,

 

The banner is simply alerting you that MX local VLAN subnets overlap with Non-Meraki peer Azure which is configured with a default route 0.0.0.0/0 on MX VPN config, this will cause all traffic (including internet) from VLANs taking part in VPN to go over the full tunnel to Azure. If this is your intended design to tunnel all traffic to Azure then that banner will be there for alerting purposes.

 

Making changes to any routing configs to MX subnets like anyconnect routing for example will cause NM VPN tunnel to reinitialize hence you might see the drops for full tunnel traffic.

 

Is Azure peer supposed to share a 0.0.0.0/0 subnet? If not, it's better to only have IPsec SAs between specific subnets that you want to reach from MX to Azure instead of tunneling all traffic. This will get rid of the banner and network connectivity drops.

 

 

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.