Meraki

Community

VPN traffic with custom expression, traffic not flowing as expected

Solved
ronnieshih75
Building a reputation
‎Apr 12 2024 6:58 AM
‎Apr 12 2024 6:58 AM

VPN traffic with custom expression, traffic not flowing as expected

We are looking to send microsoft patches from a WSUS server behind the MX450, via multiple MX450 headends from our data center via WAN2, down via the spokes' MX84 or MX85 WAN2.  This is so that WAN1 of both SD-WAN headends and spokes remains relatively free for other production applications.  We configured VPN traffic custom expression of the following on both MX450 headends and MX84 and MX85 spokes:

protocol: any, source: ip address of wsus server 10.105.x.x, source port: any, destination: any, destination port: any

We see this traffic flowing over WAN2 on the MX450s, but we DO NOT see this traffic flowing over WAN2 for MX84 or MX85 spokes.  I verified this by doing packet capture for "site-to-site vpn over internet1" and "site-to-site vpn over internet2".  Active-Active autovpn is enabled on all spokes, so autovpn is established on both WAN1 and 2 on all spokes.

please advise what can be the issue.

0 Kudos
1 Accepted Solution
ronnieshih75
Building a reputation
‎Apr 12 2024 8:15 AM
‎Apr 12 2024 8:15 AM

Problem solved by reversing the custom expression setup. thanks!

View solution in original post

5 Replies 5
alemabrahao
Kind of a big deal
‎Apr 12 2024 7:25 AM
‎Apr 12 2024 7:25 AM

Can you show the policy configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
ronnieshih75
Building a reputation
‎Apr 12 2024 7:42 AM
‎Apr 12 2024 7:42 AM

Screenshot 2024-04-12 094304.pngScreenshot 2024-04-12 094144.png

0 Kudos
In response to ronnieshih75
alemabrahao
Kind of a big deal
‎Apr 12 2024 7:47 AM
‎Apr 12 2024 7:47 AM

You know this is for outgoing traffic right?

If the server is behind the MX450, you are simply saying that all traffic from that source (server IP) will be forwarded via WAN 2.

This does not apply to spokes, it would have to be a destination traffic rule.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
ronnieshih75
Building a reputation
‎Apr 12 2024 7:53 AM
‎Apr 12 2024 7:53 AM

Are you say I should have wsus server's IP as destination and from of Any?

Because even Meraki support said what I have is right 😂

0 Kudos
ronnieshih75
Building a reputation
‎Apr 12 2024 8:15 AM
‎Apr 12 2024 8:15 AM

Problem solved by reversing the custom expression setup. thanks!

Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.