Meraki

Community

VPN third party is connected to hub but not to spoke connected to HUB

Solved
Abechara
Getting noticed
Wednesday
Wednesday

VPN third party is connected to hub but not to spoke connected to HUB

i configured a site to site tunnel between Meraki HUB and another Firewall, Meraki HUB is connected and can ping the other firewall, but the Spoke connected to HUB cannot ping the other firewall . is there anyway to let the spoke also ping the other firewall via the site to site tunnel done on the hub ?

Labels:
0 Kudos
1 Accepted Solution
rwiesmann
Head in the Cloud
Wednesday
Wednesday

I think it is still not possible.

Check out this documentation

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings

 

The following part:

An MX that builds tunnels to both Auto VPN and Non-Meraki VPN peers will not route traffic between other Auto VPN peers and the non-Meraki VPN peers unless BGP routing over IPsec VPN is enabled for the latter.

 

 

View solution in original post

15 Replies 15
alemabrahao
Kind of a big deal
Wednesday
Wednesday

But as for other devices, can you access them via the tunnel or are you having problems too?

 

Site-to-Site VPN Troubleshooting - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Abechara
Getting noticed
Wednesday
Wednesday

from the hub i can access the other third party firewall but not from the spoke wich is connected to the hub via autovpn

0 Kudos
In response to Abechara
alemabrahao
Kind of a big deal
Wednesday
Wednesday

I'm not referring to the Firewall, I'm referring to any other device. Can you communicate with any device other than the firewall?

I'm almost certain that the firewall itself won't be able to ping the LAN interface.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Abechara
Getting noticed
Wednesday
Wednesday

i created a VM beside this firewall so same problem i can ping this device from the hub but not from the spoke... note that the other firewall is not meraki

0 Kudos
In response to Abechara
alemabrahao
Kind of a big deal
Wednesday
Wednesday

Ah, now I understand, the third-party VPN does not participate in the SD-WAN tunnel. So you won't be able to reach it via Spoke, the only way is to create a VPN tunnel between the spoke and another firewall.

 

alemabrahao_0-1742395657667.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Abechara
Getting noticed
Wednesday
Wednesday

thank you ..

0 Kudos
rwiesmann
Head in the Cloud
Wednesday
Wednesday

I think it is still not possible.

Check out this documentation

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings

 

The following part:

An MX that builds tunnels to both Auto VPN and Non-Meraki VPN peers will not route traffic between other Auto VPN peers and the non-Meraki VPN peers unless BGP routing over IPsec VPN is enabled for the latter.

 

 

In response to rwiesmann
Abechara
Getting noticed
Wednesday
Wednesday

thank you

In response to Abechara
rwiesmann
Head in the Cloud
Wednesday
Wednesday

Gladly...I had the same problem with an installation once...I solved it with an extra MX. I connected the extra MX to the same LAN as the Hub and did static routing in betwenn. The extra MX I used only to set up the IPSec Tunnel.

Not sure if it now could be solved somehow with BGP.

0 Kudos
In response to rwiesmann
alemabrahao
Kind of a big deal
Wednesday
Wednesday

Another option is creating a VPN tunnel between the spoke and the third-party firewall.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Abechara
Getting noticed
yesterday
yesterday

the problem is that i have 10 spokes 🙂

0 Kudos
In response to Abechara
alemabrahao
Kind of a big deal
yesterday
yesterday

A very small number. If it were 50, then it would be a problem.

This way, you don't have to spend unnecessarily on another MX.

Another option is to create a Linux VM within the network and create tunnels between this machine and the third-party firewall. This way, you would be able to route through the Linux machine and create a route on the HUB and thus guess the route to the SD-WAN.

These are free options.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to rwiesmann
Abechara
Getting noticed
yesterday
yesterday

we cannot do static route on the hub ?? to let all spokes connect ?

0 Kudos
In response to Abechara
jimmyt234
A model citizen
yesterday
yesterday

You would need another MX to point the static route at, and have the NMVPN configured on that MX, as @rwiesmann was describing.

 

If you use Secure Connect you can have a NMVPN tunnel terminate there and be shared by all spokes, but unless you're already in that ecosystem it would probably just be easier to get the 3rd party to create VPNs to every spoke network.

0 Kudos
In response to Abechara
alemabrahao
Kind of a big deal
yesterday
yesterday

No, It's not going to work. Third-party VPN is quite limited on Meraki.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.