Meraki

Community

VPN - spoke sites cannot reach networks beyond the hub unless 'default route' ticked

gt1
New here
‎Oct 27 2019 5:34 PM
‎Oct 27 2019 5:34 PM

VPN - spoke sites cannot reach networks beyond the hub unless 'default route' ticked

We have an issue with routing for sites that are connected as 'spokes' using site-to-site VPN. If the 'default route' box is not checked, these spoke sites can only access the subnets advertised by the hub they are connecting to. All subnets in the rest of the mesh are inaccessible.

 

If the 'default route' box is checked, all subnets are accessible however this sends all traffic across the VPN to the hub which is not what we want. We wish for traffic to break out at the local Internet link if they if it is not destined for a network inside the VPN. 

 

Using the packet capture, I can see that traffic destined for VPN subnet (beyond the hub) is sent out of the Internet interface rather than the site-to-site VPN interface. This is why it is not working. So it is as if the route table is not correct on the spoke end.

 

Packets originating at the other end (from a VPN subnet beyond the hub) make it all the way to the spoke site, but obviously the reply is lost due to the above.

 

Is there something I am missing here?

 

Spoke sites are MX64s on 14.40. 

 

0 Kudos
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 27 2019 7:44 PM
‎Oct 27 2019 7:44 PM

For one of the spokes, does "Security & SD-WAN/Routes" show the routes you can't seem to get to?

0 Kudos
In response to PhilipDAth
gt1
New here
‎Oct 27 2019 8:17 PM
‎Oct 27 2019 8:17 PM

It does indeed list the routes, the the hub correctly listed in the 'via' section, however the status of the route never resolves. It simply shows a spinner indefinitely. The status of the directly connected networks and those of the hub device show as green, as expected.

0 Kudos
In response to gt1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 27 2019 10:38 PM
‎Oct 27 2019 10:38 PM

Open a support case.

In response to PhilipDAth
MarkusAlbisser
Comes here often
‎Feb 20 2020 2:15 AM
‎Feb 20 2020 2:15 AM

Hi Philipp

 

I am facing exactly the same issue as described here in this post, what was the outcome of your support case?

 

Thank you

Markus

0 Kudos
KRobert
Head in the Cloud
‎Oct 28 2019 6:40 AM
‎Oct 28 2019 6:40 AM

Is this a 1-arm Concentrator Hub, or a NAT Concentrator Hub? Do you have an upstream layer 3 appliance performing the routing?
CMNO, CCNA R+S
0 Kudos
MarkusAlbisser
Comes here often
‎Feb 20 2020 4:03 AM
‎Feb 20 2020 4:03 AM

Hi gt1, did you found a solution for your issue?
0 Kudos
NickSpeechley
Here to help
‎Feb 23 2020 5:54 PM
‎Feb 23 2020 5:54 PM

Hey gt1,

 

I too am keen to hear your solution.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.