vMX Medium - Azure - Site-to-Site tunnels never build

Concertium
Comes here often

vMX Medium - Azure - Site-to-Site tunnels never build

Hello All,

 

I have had 2 support calls on this topic and have been told it needs to go to development. This just can't be, everyone deploying this device would have the same issue.

 

Fresh deployment, out-of-the-box will not build a 3rd party tunnel (not auto vpn).

 

Is anyone else having this issue?

9 REPLIES 9
Inderdeep
Kind of a big deal

@Concertium : not sure if this helps you 

https://documentation.meraki.com/MX/MX_Installation_Guides/vMX_Setup_Guide_for_Microsoft_Azure

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

Yes, we have done the deployment many times.

After you deploy a fresh version. The vMX will not build tunnels.

alemabrahao
Kind of a big deal

Let me get this straight, you want to set up a Non-Meraki VPN on a vMX, would that be it?

Yes, we have tried a Non-Meraki Firewall (WatchGuard and FortiGate) and a Meraki Firewall MX95 (outside org) and the vMX does not respond/reply to packets.

Meraki is updating its device-to-cloud connectivity to an architecture that was crafted from the ground up to provide even greater security and simplicity for connectivity.

 

So, you have to follow this:

 

  • Preshared secret must be greater than 14 characters 
  • Authentication cannot be MD5 
  • Diffie-Hellman Group must be 14 
  • Phase 2 encryption cannot be NULL 
  • PFS can be configured to be either off or 14 

 

 

Correct. IKEv2 and RemoteID in use

Concertium_0-1672430926801.png

 

PhilipDAth
Kind of a big deal

When you deploy the VMX, you need to make sure you don't select a zone so that a "Basic IP SKU" is used for the VMX.

https://community.meraki.com/t5/Documentation-Feedback-Beta/VMX-with-client-VPN-or-AnyConnect/m-p/14... 

 

If you check your VMX and find the IP address is a "Standard IP SKU" then you'll need to delete and re-deploy the VMX.

Thanks for your reply.

 

Both AnyConnect and Client VPN, work without issue. We are not using a zone. it is set to "None" The IP using a "Basic" SKU

 

The problem is with Site-to-Sites tunnels not working

rabusiak
Getting noticed

So far I setup only one tunnel with non-Meraki peer (virtual ASA) and I was fighting with it for couple of days.
Switching to IKEv1 and tunnel goes up right away.

There must be a reason why they keep this "red beta sign" next to the filed where you can change IKE version 😉

rabusiak_0-1674146456800.png

I would also leave Remote ID empty. Was forced to used Remote ID only once in my lifetime - when setting up tunnel between PaloAlto and vyOS nva few years back.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels