Meraki

Community

VPN Mode Static Routes not installing on Site-to-Site Peers

Hi,

Having an issue where 4 out of 5 static routes on an MX67 (Firmware 19.1.11), enabled with VPN Mode turned on, show up as unknown on every other auto-VPN connected MX67 or Z4 that we have in our network (all running the latest firmware), and aren't reachable. 10.246.1.0/24 is green and reachable, but the other 4 are showing up as "None/( - ) the status is unknown". This is the default state while waiting for the status of a route.". There are no other better priority routes in the routing table.

I can't quite figure out why that's happening, any ideas? Sanitised screenshots attached. Haven't rebooted the appliance yet.

Thanks in advance.

15 Replies 15

I've seen weirdness like this before and rebooting and/or disabling and reenabling VPN usually fixed it. Perhaps once or twice support had to do something. I won't say it's a common issue, but I've seen it enough over the years.

This may not be easy if there are dependent dhcp scopes, fw rules, etc, but you can also try removing and readding the route.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Thanks, nothing business critical so will give that a try. The MX in question was upgraded to 19.1.11 only 7 days ago but I can disable/reboot everything and let it rebuild from the ground up, thanks.

I would focus on the next hop - that is likely where the issues resides.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Sorry I forgot to mention that these networks are reachable - for example if I give my Z4 an exit hub of this MX67 then the local routes all work.

Are all of these devices in the same ORG (AutoVPN)? Or are they in separate organizations where you require IPsec VPN peers?

Site-to-Site VPN Settings

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

All within the same Org using AutoVPN, yes.

The MX67 is Hub and all other devices are spokes?

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Some are spokes, some are other hubs in other DCs, all show the same "-" next to the route in the table.

Static routes are generally not required for typical AutoVPN-connected subnets.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

When using Meraki S2S (AutoVPN) the routing table typically shows:

Meraki VPN: VLAN

Your route table is showing Meraki VPN: Static Routes

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

The gateway for each subnet isn't on the MX itself, it's on the core switch infrastructure downstream of the MX, so we have these static routes in place. Next hop is the SVI on the core switch, on a shared transit network (the 10.255.252.22 IP)

Site-to-Site VPN Troubleshooting

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

If any of those four subnets overlap with ,local VLANs on the MX, other static routes or remote VPN subnets, Meraki will suppress the advertisement to avoid conflicts.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

No overlapping subnets to my knowledge, but it's always worth a check, thanks.

This smells like a firmware bug. Are you running current stable or better firmware?

Welcome to the Meraki Community!

To start contributing, simply with your Cisco ID. If you don't yet have a Cisco ID, you can .