Meraki

Community

having trouble getting traffic through on a mx67 w/ anyconnect client vpn

Solved
sinh
Conversationalist
‎Apr 11 2025 4:32 AM
‎Apr 11 2025 4:32 AM

having trouble getting traffic through on a mx67 w/ anyconnect client vpn

having a heck of a time trying to get this going.  I have an old ssl vpn I want to replace with a mx67 and any connect for my end users.  I've gone through the documentation sections for this but can't seem to find the answer I'm looking for.  

 

currently my vpn solution is this : 

 

client <-> internet <-> router/fw <-> old ssl vpn server <-> local net resources

 

essentially I want to replace the ssl vpn server with an mx67.  Currently I have it set as passthrough and anyconnect enabled using radius authentication.  in my testing, client is able to connect but I'm unable to access any of the local resources at the datacenter (i.e I can not ssh to a server that's was behind the router/fw above).  part of me thinks I'm missing a route somewhere.  in this mode does the mx67 not push any route info out?  considering I can't define any static routes in this mode I'm going to assume the answer is no.  

 

question is how do I set up the mx67 to be a basic vpn concentrator using the anyconnect client that will allow both access to services behind it?  

 

second question - if I can not do this in the passthrough mode and I have to use the routed mode, is it possible to have DHCP requests passed through to an internal DHCP server instead of using the mx67 as a DHCP server?  

 

thanks. 

Labels:
0 Kudos
1 Accepted Solution
In response to cmr
sinh
Conversationalist
‎Apr 23 2025 4:00 PM
‎Apr 23 2025 4:00 PM

thank you very much for this.  after speaking with support the only real thing I was missing was a static route for the new vpn client subnet.  this needed to be added on the UDM to add a static route with the vpn client subnet and set the MX67 as the gateway (or next hop).  once this was done, traffic to everything was good.  nothing more really had to be set on the MX67. 

 

thank you and everyone else for their assistance.

View solution in original post

0 Kudos
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎Apr 11 2025 4:55 AM
‎Apr 11 2025 4:55 AM

Does your router/fw routes the vpn/anycon subnet back to the mx67 ip?

 

In response to ww
sinh
Conversationalist
‎Apr 11 2025 5:03 AM
‎Apr 11 2025 5:03 AM

good question.  there are no specific rules in my router/fw that routes anything to the existing VPN server.  

 

for the record, I'm using a ubiquiti UDM-PRO in front of the MX67.  All I have is a port forwarded from the outside on 9443 to the IP of the MX67 on port 9443 (which is defined in the AnyConnect config).  

0 Kudos
In response to sinh
ww
Kind of a big deal
Kind of a big deal
‎Apr 11 2025 5:41 AM
‎Apr 11 2025 5:41 AM

try to set the static route of that anyconnect subnet to the mx ip (on your udm pro)

 

To add a static route, go to Settings -> Advanced Features -> Advanced Gateway Settings -> Static Routes

0 Kudos
In response to ww
sinh
Conversationalist
‎Apr 11 2025 9:08 AM
‎Apr 11 2025 9:08 AM

thank you for this.  I can't find this in the Meraki dashboard and I don't remember seeing this in the UDM interface.  

 

 

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Apr 12 2025 2:29 PM
‎Apr 12 2025 2:29 PM

If you only need VPN from the MX, then I would set it up as a VPN concentrator.  The network flow would then be: 

 

Client ---> internet ---> UDM ---> local LAN ---> MX67

 

On the MX set a route saying that everything is available on the UDM if the UDM is routing between the VLANs/subnets.  On the UDM you should only need what you have already created.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
sinh
Conversationalist
‎Apr 23 2025 4:00 PM
‎Apr 23 2025 4:00 PM

thank you very much for this.  after speaking with support the only real thing I was missing was a static route for the new vpn client subnet.  this needed to be added on the UDM to add a static route with the vpn client subnet and set the MX67 as the gateway (or next hop).  once this was done, traffic to everything was good.  nothing more really had to be set on the MX67. 

 

thank you and everyone else for their assistance.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.