Meraki

Community

Z3 auto-vpn internet access

Atalanta
Comes here often
‎Dec 29 2022 8:10 AM
‎Dec 29 2022 8:10 AM

Z3 auto-vpn internet access

I have a MX68 configured in our home office for client vpn’s for our remote consultants to connect to. We recently purchased a Z3 teleworker gateway to enable our one of our consultants who travels internationally to deploy for a site to site vpn using the Meraki auto-vpn functionality. We configured the Z3 with specific vlan’s for local internet access and for remote access. The remote access vlan’s are intended to go across the vpn tunnel to access resources in the home office, and more importantly, dump out the home office internet connection. We did this using source-based default routes initially, and even eventually converted it all to full tunneling. 

 

The problem we are encountering is that the remove access vlans on the Z3 are not able to reach any internet resources when the auto-vpn tunnel is working. 

 

I need some guidance on getting this sorted out. My consultant is already international and his current location is limiting the support we can get from Cisco directly as we draw down and close out our operations in Russia.

Labels:
0 Kudos
9 Replies 9
alemabrahao
Kind of a big deal
‎Dec 29 2022 9:35 AM
‎Dec 29 2022 9:35 AM

Have you tried setting the HUBs as a Default route?

 

alemabrahao_1-1672335348411.png

 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Atalanta
Comes here often
‎Dec 29 2022 9:51 AM
‎Dec 29 2022 9:51 AM

Yes. We tried that after we weren’t making any progress on the source-based default route. We can see the traffic in the vpn tunnel when looking at the packet-captures, but we don’t see anything on the LAN or WAN. Traceroute out to 8.8.8.8 from the client workstation only hits the local Z3 gateway then gets no replies from anything after that. We can hit local internal resources just fine so that side of the tunnel and routing is working as expected. 

 

 

0 Kudos
In response to Atalanta
alemabrahao
Kind of a big deal
‎Dec 29 2022 9:58 AM
‎Dec 29 2022 9:58 AM

What version are you running?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Atalanta
Comes here often
‎Dec 29 2022 1:46 PM
‎Dec 29 2022 1:46 PM

The Z3 is running 17.10.2 and the MX is 17.10. 

0 Kudos
In response to Atalanta
alemabrahao
Kind of a big deal
‎Dec 29 2022 2:22 PM
‎Dec 29 2022 2:22 PM

The version 17.10.x has a historical issue for some people, so I suggest you  to downgrade it for version 16.16.8.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Dec 29 2022 10:00 AM
‎Dec 29 2022 10:00 AM

The MX68 is in routed mode? Does the mx68 have a static default route configurered ? 

What is the next hop for the 0.0.0.0 in the z3 routing table

0 Kudos
In response to ww
Atalanta
Comes here often
‎Dec 29 2022 2:00 PM
‎Dec 29 2022 2:00 PM

The MX is in routed mode. There are no static routes defined at all. The default routes on the MX are default quad route for the WAN, going out the WAN interface and the default quad route next-hopped to the Home office over the Meraki vpn. The VPN quad route is the one that is active. 

 

The current configuration on the Z3 is that the home office hub is the ipv4 default route. We removed the source based default routes to try and clean up the route table with so many default routes populating. 

 

For testing and problem isolation purposes, we moved the MX to a DIA connection with a DHCP lease from the ISP. the Z3 is behind a local ISP router so is getting a DHCP lease from the router, which is then nat’d to the ISP IP. The auto VPN is able to negotiate and establish the tunnels. 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 30 2022 12:28 AM
‎Dec 30 2022 12:28 AM

Can the Z3 access any internal company resources over AutoVPN at all?  If not, then it may simply be that AutoVPN is being blocked.

0 Kudos
tcanty
Here to help
‎Dec 31 2022 3:24 AM
‎Dec 31 2022 3:24 AM

just out of interest, did you set up any VLAN based network object rules in the firewall on the Z3? we recently deployed a Z3, that devices connected to it couldn't communicate to the internet, and that was due to what is believed to be a bug(unconfirmed), that when you have a VLAN sourced base rule, it stops the firewall functioning correctly, and blocks most traffic.

 

Replacing the VLAN rule, with the ip range for that VLAN then allowed everything to function. 

 

Might not be the same problem, but worth checking...

 

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.