Meraki

Community

VMX in Azure Hub with Peered Spoke

Mike-M
Conversationalist
yesterday
yesterday

VMX in Azure Hub with Peered Spoke

Hello, I am pulling my hair out and hoping someone can help provide some guidance. 

 

Following the "VMX in Azure" deployment guide, I deployed a VMX to an Azure Hub Vnet and it checked into the Meraki Dashboard and AutoVPN is up, and from on premise I can ping the LAN IP of the VMX; all good so far. Should it matter, the VMX is in Routed mode (I want to use if for Auto-VPN and want it to be the NAT Internet gateway for Azure resources). I continued to peer a spoke Vnet and then deployed a VM to one of its subnets to test connectivity by pinging the VM from on-prem (fail). The subnet that the VM is on has a User Defined Route that routes all traffic destined for on-prem networks to the LAN IP of the VMX. 

 

To continue troubleshooting, from the VM in the spoke VNET, I can ping the WAN IP (not the public IP, but the WAN IP assigned to the NIC on the VMX's WAN subnet) of the VMX and get a reply all day long. However, I cannot ping the LAN IP of the VMX. Of course, if the VM can't reach the VMX LAN IP, I won't be able to reach the on prem networks or the Internet for that matter.

 

I can't figure out why the WAN IP would reply to the VM (over the VNET peering) but not the LAN IP. Note that...

  • Since the I can ping the VMX WAN IP from the VM in the spoke, it's an indicator that the peering is solid
  • There are no NSG's in the way on the VMX, any subnets anywhere, or the VM NIC so confident it's not a NSG thing
  • Both WAN and LAN NIC's on the VMX VM have IP Forwarding enabled
  • The user defined route on the VM's subnet is 100% pointing to the VMX LAN IP as next hop

 

A few oddities to mention, that may or not be related...

  • When I deployed the VMX, the LAN IP was 192.168.128.1 and of course that didn't work as that default IP didn't jive with the VMX-LAN-Subnet IP range in the hub Vnet. I changed it to match the IP that Azure assigned the LAN interface of the VMX. This allowed the VPN to form and I could reach it from on premise.
  • I was very much expecting to have to define the spoke networks on the VMX in order to enable them for auto-VPN but that does not appear to be possible and so the only VPN enabled Subnet is the LAN subnet.
  • The VMX is in Single VLAN configuration, as deployed. 
  • I am really puzzled why the VM in the spoke VNET cannot ping the LAN IP of the VMX but can reach the VMX WAN IP. I feel that this is clearly what the issue is but cannot find any reasonable way to resolve it. The spoke subnets clearly need a path to the VMX's LAN IP. 


If anyone has any input, advise, suggestions, I would very much any help anyone can offer. 

Thanks, 
Mike 

Labels:
0 Kudos
0 Replies 0
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.