VMX to VMX route issue in Azure

Here to help

VMX to VMX route issue in Azure


I got a VMX (referred as VMX1) running in Azure VNET1 , and in the same VNET i got other resources (VMs) that are reachable by VMX1

I have another VMX  ( referred as VMX2) running  in Azure VNET2 ( different region) which is intended for back up. VMX2 also got resources configured in its same VNET 2 ( VMs ) and can reach them. 


VMX1 got a VPN tunnel ( IPSEC) with VMX2. I am not 100% sure how the tunnel was established and if i can terminate it. this is an issue that i will park for now 


VMX1 is able to ping  VMX2 however, VMX1 is unable to reach any resources in VMX 2 although i have added those resources under VMX2 local subnet. 


my questions are:

1- Any idea how to get the local subnets at each VMX advertised to the other VMX ?  

2- can i turn off IPSEC tunnel between VMX1 to VMX2 while i keep the IPSEC between VMX and my other MX's ? 

Kind of a big deal

This is a known Azure issue.  Pay special attention to this bit:



"Deploy a virtual appliance into a different subnet than the resources that route through the virtual appliance are deployed in. Deploying the virtual appliance to the same subnet, then applying a route table to the subnet that routes traffic through the virtual appliance, can result in routing loops, where traffic never leaves the subnet."


Also check out this VMX HA guide for Azure:


Meraki Employee

It is possible to have your VMX Hubs configured not to have direct AutoVPN tunnels between them (call Support for this).   Note that this is an 'all or nothing' switch for all Hubs in your Organization..

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.