Meraki

Community

vMX in AWS, Routing remote branch subnets with DirectConnect to OnPremise

Solved
No-Nothin-1859
Here to help
‎Jan 15 2024 2:24 AM
‎Jan 15 2024 2:24 AM

vMX in AWS, Routing remote branch subnets with DirectConnect to OnPremise

Hello Everybody,

 

I am working on a project where i need to set up a vMX in AWS that is deployed in his own VPC. The vMX is in Concentrator mode with a One Arm mode. The Network Interface has an IP in a private subnet that give him also a public IP.

 

This VPC is attached to a Transit Gateway that act as a hub for all VPC and permit inter-VPC traffic.

There is also a Palo ALTO in AWS that filter traffic between VPC.

Also a Direct Connect is here to connect to OnPremise network and the Direct COnnect is attached to the Transit Gateway.

 

I have my remote branch with a SDWAN tunnel to vMX. I can ping resources in the same VPC of the vMX. So Everything is Good.

I can also see my pings reaching OnPremises ressources and going back to AWS.

Even When i try to ping another resource in another VPC i can see the ICMP reaching my resource but the reply never reach vMX.

 

The problem is i never reach vMX from AWS and when the destination is in a remote branch subnet.

 

Anybody gone through a similar use case ?

Thank you 

Labels:
0 Kudos
1 Accepted Solution
In response to PhilipDAth
No-Nothin-1859
Here to help
‎Jan 16 2024 5:36 AM
‎Jan 16 2024 5:36 AM

I finally found the solution. 

In the transit gateway route tables there were 3 route tables. 

I was adding the static route on the wrong one.

thank you all for your help

View solution in original post

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 15 2024 2:32 AM
‎Jan 15 2024 2:32 AM

 
In your case, I would check both of these things.
Make sure your routing tables are configured correctly to allow traffic from vMX to other VPCs and vice versa.
Check your Palo Alto for firewall rules to ensure they are not blocking ICMP responses from reaching vMX.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
No-Nothin-1859
Here to help
‎Jan 15 2024 2:36 AM
‎Jan 15 2024 2:36 AM

Hello,

Thank you for your answer.

Which routing tables are you talking about ?

 

Firewall rules are OK. They are not blocking ICMP.

0 Kudos
In response to No-Nothin-1859
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 15 2024 2:43 AM
‎Jan 15 2024 2:43 AM

On the transit gateway configuration, it acts as a central hub, routing traffic between VPCs.

 

How transit gateways work - Amazon VPC

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
No-Nothin-1859
Here to help
‎Jan 15 2024 2:45 AM
‎Jan 15 2024 2:45 AM

Yes on the transit gateway, i added a static route for :

destination : remote branch subnet

next hop : vMX VPC

 

But i think when i reach the VPC, it doesn't know where to go for that route. 

0 Kudos
In response to No-Nothin-1859
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 15 2024 2:51 AM
‎Jan 15 2024 2:51 AM

In this case,I suggest you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 15 2024 11:18 AM
‎Jan 15 2024 11:18 AM

If the reply from the resource never makes it back to the VMX it must either be a routing issue or a firewall rule.

0 Kudos
In response to PhilipDAth
No-Nothin-1859
Here to help
‎Jan 15 2024 11:15 PM
‎Jan 15 2024 11:15 PM

Yes it is one of them, or maybe a misconfiguration in AWS.

We agree that the vMX has only one interface in a "public subnet" with a private IP RFC1918 and public IP.

 

When i reach back the VPC of the vMX i have a static route towards spokes that point to the EC2 vMX ENI. 

On the transit gateway route table, i create also a static route towards spokes that point to the VPC of the vMX.

 

On the VPC of the resource i have a default route to send all traffic to transit gateway. 

 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 15 2024 11:18 AM
‎Jan 15 2024 11:18 AM

Note that there are both VPC route tables and transit gateway route tables.  Make sure both are correct,

0 Kudos
In response to PhilipDAth
No-Nothin-1859
Here to help
‎Jan 16 2024 5:36 AM
‎Jan 16 2024 5:36 AM

I finally found the solution. 

In the transit gateway route tables there were 3 route tables. 

I was adding the static route on the wrong one.

thank you all for your help

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.