VPN Concentrator Blocks. Source and Target are reversed

Here to help

VPN Concentrator Blocks. Source and Target are reversed

We are configuring an MX-250 as a VPN Concentrator.  It will handle client VPN connections and authenticate against a RADIUS server.


It is set up with port forwarding from our primary MX-250.


However, we are seeing blocks from our internal firewall rules.


For example, I get a tcp block on the source IP of and source port of 443, with a target IP of and target port of 61702.

It looks like the blocks are somehow reversed.  The VPN client is at and is trying to create a 443 connection to, but I get a block in the opposite direction.


Another example: According to our firewall, Google at is trying to hit our VPN client for a DNS lookup on udp port 53.  It is backwards!


Any ideas would be welcome.  When we finally find the problem, I will post the answer.


Thank you.

3 Replies 3
Here to help

Our network consultant analyzed the issue and made changes to the configuration of our VPN concentrator. 

It is now working as expected.


Sorry that I do not have any more detailed information on why we were getting the weird traffic from the VPN concentrator.


Maybe he had it installed upside down.   ha ha.

Are you talking about the port forwarding access rules (which you specify which IP's are allow access inbound) or the firewall rules (which work on the outbound leg - not the inbound leg)?

The blocks are from our outbound firewall rules on our primary MX-250.



Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.