Meraki

Community

VPN Exclusion only working if static route to WAN interface exists

kmoran
Here to help
‎Nov 16 2023 10:59 PM
‎Nov 16 2023 10:59 PM

VPN Exclusion only working if static route to WAN interface exists

Hi,

 

I have a hub and spoke network.  I have set up VPN Exclusion via the API however the traffic still uses the VPN unless I put a static route in place to point the destination IP to one of the WAN interfaces.  The documentation doesn't mention that static routes are needed.  Also if the WAN interface fails, the destination IP becomes unavailable until the WAN interface comes back up.  There is no way to set a secondary static route to use the secondary WAN interface.

This is what I have for the VPN Exclusion code.

dashboard.appliance.updateNetworkApplianceTrafficShapingVpnExclusions(site,\
            custom=[{'protocol': 'tcp', 'destination': '172.67.73.20/32'},\
                    {'protocol': 'tcp', 'destination': '104.26.9.109/32'},\
                    {'protocol': 'tcp', 'destination': '104.26.8.109/32'}]\
            ,majorApplications=[{'id': 'meraki:vpnExclusion/application/10'}])
 
We have Internal and External Hubs.  The External Hub is set as the default route.
 
I'd appreciate any ideas.
 
Thanks
Labels:
0 Kudos
8 Replies 8
alemabrahao
Kind of a big deal
‎Nov 17 2023 2:45 AM
‎Nov 17 2023 2:45 AM

If you try to configure via the dashboard and not via the API, is the result the same?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
kmoran
Here to help
‎Nov 17 2023 6:35 AM
‎Nov 17 2023 6:35 AM

Yes, same result if configured using the GUI.

0 Kudos
alemabrahao
Kind of a big deal
‎Nov 17 2023 3:55 AM
‎Nov 17 2023 3:55 AM

Just to confirm, your license is Secure SD-WAN Plus correct?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
kmoran
Here to help
‎Nov 17 2023 6:36 AM
‎Nov 17 2023 6:36 AM

Yes, we have the SD-WAN+ license.  The situation is the same even if the MajorApplications is configured with an empty list.

0 Kudos
In response to kmoran
alemabrahao
Kind of a big deal
‎Nov 17 2023 6:42 AM
‎Nov 17 2023 6:42 AM

I suggest you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Nov 17 2023 8:11 AM
‎Nov 17 2023 8:11 AM

What is a external hub?

Is it a default route to a non meraki vpn?

0 Kudos
In response to ww
kmoran
Here to help
‎Nov 17 2023 8:14 AM
‎Nov 17 2023 8:14 AM

There is an Internal Hub that directs traffic to the data center and an External hub that directs traffic to everything else.

0 Kudos
In response to kmoran
ww
Kind of a big deal
Kind of a big deal
‎Nov 17 2023 8:28 AM
‎Nov 17 2023 8:28 AM

So its a meraki mx hub with the [ x ] set with default route at the spoke. 

What firmware is your spoke running?

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.