site2site VPN to HQ

Building a reputation

site2site VPN to HQ

Dear expert ,


normally when my branch have dplc connect to HQ , i just can form VPN to HQ just fine and fast.

but when my new branch has only internet , and we also use MX at that branch. we try to form vpn to HQ via public ip.

vpn takes so long to get start and not working ,when ping to local server or internet.


my question : do we mis config ? or do we need to allow inbound port on our internet firewall at HQ ? ( we use Paloalto ) as internet firewall. i don't know if paloalto block session of these udp port or not. pls help verify

Getting noticed

Hi @SopheakMang ,


Can you tell me more about your network topology with MX?


Does your branch have local internet or via HQ (dplc)?



In general if MX is behind a Firewall, there are outbound ports and public ips to be allowed.

You can find out more from Dashboard -> Help -> Firewall info

Dear Richard ,

I have DC and DR (VPN concentrator same gateway router ( Paloalto) .

then all of my branch has dplc , but only one branch has local internet ( which is not working like other branch that has local dplc) , these branch are added into same template. but the branch that has local internet seem can't peer vpn to HQ.

On your vpn concentrator make sure the public ip and ports are allowed on PA.

Dashboard -> Help -> Firewall info


On the spoke MX, go to dashboard -> Monitor -> VPN Status see if you have any error message.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.