vMX Medium - Azure - Site-to-Site tunnels never build

Comes here often

vMX Medium - Azure - Site-to-Site tunnels never build

Hello All,


I have had 2 support calls on this topic and have been told it needs to go to development. This just can't be, everyone deploying this device would have the same issue.


Fresh deployment, out-of-the-box will not build a 3rd party tunnel (not auto vpn).


Is anyone else having this issue?

Kind of a big deal

@Concertium : not sure if this helps you 


Cisco IT Blogs awarded in 2020 & 2021

Yes, we have done the deployment many times.

After you deploy a fresh version. The vMX will not build tunnels.

Kind of a big deal

Let me get this straight, you want to set up a Non-Meraki VPN on a vMX, would that be it?

Yes, we have tried a Non-Meraki Firewall (WatchGuard and FortiGate) and a Meraki Firewall MX95 (outside org) and the vMX does not respond/reply to packets.

Meraki is updating its device-to-cloud connectivity to an architecture that was crafted from the ground up to provide even greater security and simplicity for connectivity.


So, you have to follow this:


  • Preshared secret must be greater than 14 characters 
  • Authentication cannot be MD5 
  • Diffie-Hellman Group must be 14 
  • Phase 2 encryption cannot be NULL 
  • PFS can be configured to be either off or 14 



Correct. IKEv2 and RemoteID in use



Kind of a big deal

When you deploy the VMX, you need to make sure you don't select a zone so that a "Basic IP SKU" is used for the VMX.



If you check your VMX and find the IP address is a "Standard IP SKU" then you'll need to delete and re-deploy the VMX.

Thanks for your reply.


Both AnyConnect and Client VPN, work without issue. We are not using a zone. it is set to "None" The IP using a "Basic" SKU


The problem is with Site-to-Sites tunnels not working

Getting noticed

So far I setup only one tunnel with non-Meraki peer (virtual ASA) and I was fighting with it for couple of days.
Switching to IKEv1 and tunnel goes up right away.

There must be a reason why they keep this "red beta sign" next to the filed where you can change IKE version 😉


I would also leave Remote ID empty. Was forced to used Remote ID only once in my lifetime - when setting up tunnel between PaloAlto and vyOS nva few years back.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.