(resolved) AWS and vMX100: one-way connectivity from office autoVPN (IN success, OUT fail)

SOLVED
bluecavalry
Here to help

(resolved) AWS and vMX100: one-way connectivity from office autoVPN (IN success, OUT fail)

edit:  RESOLVED:  Issue was with AWS Security Groups that someone applied to the servers.

 

====================================

Hello,

I have an AWS routing issue when using the vMX100, but not sure.   Everything worked great with the AWS VPN up.  But when the vMX100 was installed (and removed the AWS VPN), we have the following results.

 

Traffic from our office to AWS

      ping is successful (with reply from AWS servers).

 

Traffic to office from AWS (over autoVPN)

       Ping fails.  Cannot reach devices in office from AWS.

       Can only ping Internet and local VPC instances.

 

There is no problem connecting to the AWS devices over the autoVPN, but no traffic can be initiated from AWS instances.  We have devices trying to sync with other servers in the office, and they are failing.

 

AWS configuration:

         Routing Table: all routes pointing to vMX instance (except 0.0.0.0/0 and local subnet)

         NACL: wide open both ways.

         AWS Security Group:  default (wide open)

 

vMX100 configuration:

         all auto VPN tunnels came up without issue

         firewall rules are wide-open to/from the Meraki.

 

Thank you for any help getting this vMX to work in AWS.

 

edit:    This is the document used for the vMX100 install to AWS.  

https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Amazon_AWS

 

1 ACCEPTED SOLUTION

Unfortunately, no one replied before I solved it myself. 

 

I tried to delete it.  I put the "resolved" in my message so no one would waste their time on it.   

 

Can I give my original post an "Accept as Solution"? 

 

 

View solution in original post

7 REPLIES 7
PhilipDAth
Kind of a big deal
Kind of a big deal

So when you say "resolved", you are saying you don't have a problem anymore, correct?

 

And you are just posting the information to help others?

Yes.    I changed the post to "resolved", after I had posted the original help request..  You can delete this if you like.   Thanks.

 

Unfortunately, no one replied before I solved it myself. 

 

I tried to delete it.  I put the "resolved" in my message so no one would waste their time on it.   

 

Can I give my original post an "Accept as Solution"? 

 

 

Hi @bluecavalry -

You can't mark an original post as the solution, so I just marked your latest post (which explains how you edited the original post) as the solution.

Cheers!

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here

which post should I check as "accept as solution"? I could not delete the message. put "resolved instead.
mgio_ml
Conversationalist

I just had this same issue plaguing me for a few weeks. Had multiple Cisco and AWS support engineers troubleshoot with me and we could not figure it out until this morning. I wanted to post a more specific solution in case others like me find this and start tearing their hair out:

If you want your EC2 instance to be able to SSH to an on-prem device through Meraki, you need to add an inbound rule to your vMX's security group that allows SSH traffic from the VPC CIDR (or from whatever subnet/individual IP from that block).

 

There are autogenerated rules from creating a vMX in AWS and SSH is not one of the protocols included because Meraki does not allow SSH into itself (so there would be no need for it in general).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels