We are looking to send microsoft patches from a WSUS server behind the MX450, via multiple MX450 headends from our data center via WAN2, down via the spokes' MX84 or MX85 WAN2. This is so that WAN1 of both SD-WAN headends and spokes remains relatively free for other production applications. We configured VPN traffic custom expression of the following on both MX450 headends and MX84 and MX85 spokes:
protocol: any, source: ip address of wsus server 10.105.x.x, source port: any, destination: any, destination port: any
We see this traffic flowing over WAN2 on the MX450s, but we DO NOT see this traffic flowing over WAN2 for MX84 or MX85 spokes. I verified this by doing packet capture for "site-to-site vpn over internet1" and "site-to-site vpn over internet2". Active-Active autovpn is enabled on all spokes, so autovpn is established on both WAN1 and 2 on all spokes.
please advise what can be the issue.
Solved! Go to solution.
Problem solved by reversing the custom expression setup. thanks!
Can you show the policy configuration?
You know this is for outgoing traffic right?
If the server is behind the MX450, you are simply saying that all traffic from that source (server IP) will be forwarded via WAN 2.
This does not apply to spokes, it would have to be a destination traffic rule.
Are you say I should have wsus server's IP as destination and from of Any?
Because even Meraki support said what I have is right 😂
Problem solved by reversing the custom expression setup. thanks!