Meraki

Community

VMX in Azure Hub with Peered Spoke

Mike-M
Conversationalist
yesterday
yesterday

VMX in Azure Hub with Peered Spoke

Hello, I am pulling my hair out and hoping someone can help provide some guidance. 

 

Following the "VMX in Azure" deployment guide, I deployed a VMX to an Azure Hub Vnet and it checked into the Meraki Dashboard and AutoVPN is up, and from on premise I can ping the LAN IP of the VMX; all good so far. Should it matter, the VMX is in Routed mode (I want to use if for Auto-VPN and want it to be the NAT Internet gateway for Azure resources). I continued to peer a spoke Vnet and then deployed a VM to one of its subnets to test connectivity by pinging the VM from on-prem (fail). The subnet that the VM is on has a User Defined Route that routes all traffic destined for on-prem networks to the LAN IP of the VMX. 

 

To continue troubleshooting, from the VM in the spoke VNET, I can ping the WAN IP (not the public IP, but the WAN IP assigned to the NIC on the VMX's WAN subnet) of the VMX and get a reply all day long. However, I cannot ping the LAN IP of the VMX. Of course, if the VM can't reach the VMX LAN IP, I won't be able to reach the on prem networks or the Internet for that matter.

 

I can't figure out why the WAN IP would reply to the VM (over the VNET peering) but not the LAN IP. Note that...

  • Since the I can ping the VMX WAN IP from the VM in the spoke, it's an indicator that the peering is solid
  • There are no NSG's in the way on the VMX, any subnets anywhere, or the VM NIC so confident it's not a NSG thing
  • Both WAN and LAN NIC's on the VMX VM have IP Forwarding enabled
  • The user defined route on the VM's subnet is 100% pointing to the VMX LAN IP as next hop

 

A few oddities to mention, that may or not be related...

  • When I deployed the VMX, the LAN IP was 192.168.128.1 and of course that didn't work as that default IP didn't jive with the VMX-LAN-Subnet IP range in the hub Vnet. I changed it to match the IP that Azure assigned the LAN interface of the VMX. This allowed the VPN to form and I could reach it from on premise.
  • I was very much expecting to have to define the spoke networks on the VMX in order to enable them for auto-VPN but that does not appear to be possible and so the only VPN enabled Subnet is the LAN subnet.
  • The VMX is in Single VLAN configuration, as deployed. 
  • I am really puzzled why the VM in the spoke VNET cannot ping the LAN IP of the VMX but can reach the VMX WAN IP. I feel that this is clearly what the issue is but cannot find any reasonable way to resolve it. The spoke subnets clearly need a path to the VMX's LAN IP. 


If anyone has any input, advise, suggestions, I would very much any help anyone can offer. 

Thanks, 
Mike 

Labels:
0 Kudos
1 Reply 1
alemabrahao
Kind of a big deal
Kind of a big deal
3 hours ago
3 hours ago

Since you mentioned you want the vMX to be the NAT Internet gateway and use Auto-VPN, you need to ensure the Meraki Dashboard knows about those spoke subnets.

Check the Static Routes section in your Meraki Dashboard. Do you see the Spoke VNet CIDR listed there? If not, try adding it and enabling VPN for that route.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.