Strange AutoVPN Issue, any suggestions

Tim-WN9Z
Comes here often

Strange AutoVPN Issue, any suggestions

I have a lab setup with 3 MX-64s.   All three have two WAN connections, one a Spectrum link (WAN1), the other an ATT DIA link (WAN2).  All 3 WAN1s are on the same SPECTRUM subnet and all 3 WAN2s are on the same ATT subnet.

 

There are no firewalls between the MXs and the carrier CPE, the WAN links are fully open public IP links.

 

I cannot get AutoVPN to set up no matter what I do.   I set up 2 of the MX-64s as Mesh HUBs and planned for one to act as a sample spoke. 

 

I configure the 2 HUBs with no static routes, a completely basic config.  One of the 2 HUBs sets up and sees the other HUB, the other HUB says it cannot reach the VPN Registry.

 

Is there some kind of weird limitation of WAN ports not being on the same subnet???  

 

Any and all comments are welcome.

 

Tim McKee

2 Replies 2
Ryan_Miles
Meraki Employee
Meraki Employee

Do the MXs get a public IP bridged to them or do they receive some private IP from the CPEs? MXs will inform VPN registry of their interface IP (real and NAT IP). And, the tunnel setup will prefer to use the real IPs if they all NAT out to the same IP/seen by dashboard as coming from the same IP.

 

In my lab I have a MX95 at the edge connected to Comcast and VZW via MG41. Downstream I have 2 MX hubs and 3 MX spokes. They all use private IPs handed out by my core MX (for the spoke WANs) and a MS switch for the hubs WAN. They all NAT out to internet using Comcast, so dashboard sees them all as the same IP. Because of this all the tunnels set up using the real/private IPs.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Tim-WN9Z
Comes here often

The lab setup in question if almost ridiculously simple...    All three MX64s have WAN1 attached to a public address vlan from Spectrum on 173.95.x.x/27, no filtering between them.   Their WAN2 is attached to a public address vlan from ATT on 12.31.x.x/27, no filtering between them.

Two of them get set for site-to-site HUB functionality and one as a spoke.   Hub-2 shows green VPN status for both peers, Hub-1 and Site-1.   Hub-1 and Site-1 show no peers... and there is no ip flowing between units that I can determine.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels