VPN - spoke sites cannot reach networks beyond the hub unless 'default route' ticked

New here

VPN - spoke sites cannot reach networks beyond the hub unless 'default route' ticked

We have an issue with routing for sites that are connected as 'spokes' using site-to-site VPN. If the 'default route' box is not checked, these spoke sites can only access the subnets advertised by the hub they are connecting to. All subnets in the rest of the mesh are inaccessible.


If the 'default route' box is checked, all subnets are accessible however this sends all traffic across the VPN to the hub which is not what we want. We wish for traffic to break out at the local Internet link if they if it is not destined for a network inside the VPN. 


Using the packet capture, I can see that traffic destined for VPN subnet (beyond the hub) is sent out of the Internet interface rather than the site-to-site VPN interface. This is why it is not working. So it is as if the route table is not correct on the spoke end.


Packets originating at the other end (from a VPN subnet beyond the hub) make it all the way to the spoke site, but obviously the reply is lost due to the above.


Is there something I am missing here?


Spoke sites are MX64s on 14.40. 


Kind of a big deal

For one of the spokes, does "Security & SD-WAN/Routes" show the routes you can't seem to get to?

It does indeed list the routes, the the hub correctly listed in the 'via' section, however the status of the route never resolves. It simply shows a spinner indefinitely. The status of the directly connected networks and those of the hub device show as green, as expected.

Kind of a big deal

Open a support case.

Hi Philipp


I am facing exactly the same issue as described here in this post, what was the outcome of your support case?


Thank you


Head in the Cloud

Is this a 1-arm Concentrator Hub, or a NAT Concentrator Hub? Do you have an upstream layer 3 appliance performing the routing?
Comes here often

Hi gt1, did you found a solution for your issue?
Here to help

Hey gt1,


I too am keen to hear your solution.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.