cancel
Showing results for 
Search instead for 
Did you mean: 

vMX100 Azure Cloud

Conversationalist

Re: vMX100 Azure Cloud

Because of the lock problem with my 2 vMX, I was not able to stop 2 VMs in Azure. I open a case with Meraki support and here their response. I did it and it worked fine. 

"When the appliance is created and you create a new Resource group it also creates another read only resource group. This is what is locked and caused a lot of the issues as I create the network during setup it became read only effecting the rest of our Azure setup. If you need to delete the appliance and start again you need to do the following:
1) Bring up all the resource groups in the Azure portal.
2) open the resource group that you created in the guide above.
3) In this resource group you will see a managed application which is a large bunch of letters and numbers. This is also the name of the lock that is in the read only resource group. If you delete this managed application it will also delete the read only resource group and the locks allowing you to start again."

Conversationalist

Re: vMX100 Azure Cloud

Conversationalist

Re: vMX100 Azure Cloud

Same problem here. Ping is working fine between the MX and the vMX but cannot goes further.
"Still having some issues pinging from Azure to our on-prem site, but I think that could be resolved once we look into the routings a bit more."
Have you solve that one?
Kind of a big deal

Re: vMX100 Azure Cloud

@LucPaquet Did you set up the route table per the documentation? I have a vMX deployed and have no issues pinging from on-prem to the servers in Azure. 

MRCUR | CMNO #12
Here to help

Re: vMX100 Azure Cloud

From where do you ping? From VM in a classic resource model there are problems with the routing because you have no gateway traffic if you peered it with the new resource network. From a new ARM model deployed VM and an routing table in the vMX resource group i can ping any machine in our subnets. The routing table must contain all subnets outside this azure location with the vMX as gateway. does your routing table contains alls subnets and the vMX as gateway? Did you setup all local network scopes in the meraki dashboard for this meraki network location?

Conversationalist

Re: vMX100 Azure Cloud

Hi

Ping that are ok

- MX (192.168.1.1) <--> vMX (10.1.1.4)

- Mac (192.168.1.22) <--> MX (192.168.1.1)

- vMX(10.1.1.4) <--> VMwin2016(10.1.1.5)

 

Ping that are not OK

- MX <--> VMwin2016

- vMX <--> Mac

- Mac <--> VMwin2016

 

The GTW for PC is the MX and for the PC2 is the vMX. Both MX and vMX are in a DMZ with natting. 

I'm new to Azure, what you mean by ARM? How to check what I used?

Thanks

Kind of a big deal

Re: vMX100 Azure Cloud

@LucPaquet Hmm, the vMX shouldn't be set as the gateway for any of your Azure VM's. You need to create a route table in the VNET where your VM's reside that has your vMX as the next hop. That way Azure will take care of the routing. Make sure you update the vMX routes in Dashboard too. 

 

ARM is Azure Resource Manager and is the "new" way of managing resources inside of Azure (everything goes into resource groups). If you've recently set everything up, you're most likely using ARM as it's been around for a bit now. 

MRCUR | CMNO #12
Comes here often

Re: vMX100 Azure Cloud

Any idea when the vMX100 will be available in Azure CSP? We have customers use Meraki appliance at HQ and Branch offices, the servers are in Azure CSP. now they cannot connect all locations together. 

Meraki does not support IKEv2, vMX100 is the only solution to get all locations connected, however, vMX100 does not work in CSP, we have been stuck for months now.

Help Please. 

Here to help

Re: vMX100 Azure Cloud

In this case i would open a support case in the meraki dashboard and ask a support technican.
Kind of a big deal

Re: vMX100 Azure Cloud


@JohnS wrote:

Any idea when the vMX100 will be available in Azure CSP? We have customers use Meraki appliance at HQ and Branch offices, the servers are in Azure CSP. now they cannot connect all locations together. 

Meraki does not support IKEv2, vMX100 is the only solution to get all locations connected, however, vMX100 does not work in CSP, we have been stuck for months now.

Help Please. 


@MerakiDave Can you check if there is a FR for the vMX to support CSP billing in Azure? 

MRCUR | CMNO #12
Conversationalist

Re: vMX100 Azure Cloud

I restarted my proof of concept Site to site VPN (MX and vMX) in Azure.
I'm lost. Here my setup:

2 Windows 10 VM in Azure, both in the same vNet as the vMX, one in the same subnet, 
Windows 10 - 1 : 10.0.0.x and a public IP
Windows 10 - 2 : 10.0.2.x and a public IP
vMX : 10.0.0.4
Azure Route table 1 - 10.0.0.0/24 next hop : 10.0.0.4
Azure Route table 2 - 10.0.2.0/24 next hop : 10.0.0.4
MX - 192.168.1.1

MX and vMX can ping each other.
That's the only thing the vMX can ping. Both Windows 10 are not able to ping each other. 
Windows Firewalls are turned OFF on both Windows 10 and Azure NSG is open to any-any for inbound and outbound.

Route tables in the MX and vMX network are perfect.

So, why the vMX and the 2 Windows 10 cannot see each other?

Kind of a big deal

Re: vMX100 Azure Cloud

@LucPaquet Two things: 

 

1) I'm not sure it's supported to have the vMX in the same VNET as VM's. I would recommend creating a VNET just for the vMX to sit inside. The vMX should get an IP from this VNET and this VNET should NOT have a route table attached to it. 

 

2) See attached screenshot of the local networks configured on the "Site-to-site VPN" page. Make sure you have the VNET your VM's are in configured at a minimum. I also have the VNET I use for the vMX only so I can ping it from on-prem for monitoring. Screen Shot 2018-01-29 at 3.23.21 PM.pngvMX Local Networks

MRCUR | CMNO #12
Conversationalist

Re: vMX100 Azure Cloud

@MRCUR - I'll do that tonight

 

Question: Do I have to peer the 2 vNET in Azure or the vMX will do the job?

 

Thanks

Comes here often

Re: vMX100 Azure Cloud

Can we terminate the client to site VPN into the vMX just like what we do with the physical appliance?

 

Kind of a big deal

Re: vMX100 Azure Cloud

@LucPaquet No need to do any VNET peering. Just make sure you have the route table set up on the VNET for VM's to point to the vMX IP. You don't need any route tables on the VNET the vMX is in. 

MRCUR | CMNO #12
Kind of a big deal

Re: vMX100 Azure Cloud

@JohnS I believe client VPN is available on the vMX but have not confirmed if it works. The config is available in Dashboard though. 

MRCUR | CMNO #12
Conversationalist

Re: vMX100 Azure Cloud

@MRCUR I did a new vNET-subnet and put a Win10 there.... and still no way to ping between the VM and the vMX.

 

If you're up for the challenge to resolve my issue....

 

https://drive.google.com/drive/folders/1qhdXhyeHAr68ZenRvfj_-2Ot90Io4ajc?usp=sharing

 

You will find there a lot of stuff. 

 

You could reach me with : luc.paquet@gmail.com

 

Thanks

Kind of a big deal

Re: vMX100 Azure Cloud

@LucPaquet I think your route table in Azure is the issue. It looks like you're using 192.168.1/2/3.X/24 on-prem, correct? 

 

You need routes in the Azure route table for those subnets so the VM's in Azure know to route traffic to those subnets via the vMX. Your on-prem MX already has a route to the vMX 192.168.4.0/24 subnet. 

 

Take a look at the screenshot of my route table in Azure. 192.168.161.4 is my vMX in Azure while the other subnets are all used on-prem. The 192.168.162.0/24 subnet is what the VM's in Azure use. 

 

Screen Shot 2018-01-30 at 9.27.06 AM.png

MRCUR | CMNO #12
Conversationalist

Re: vMX100 Azure Cloud

@MRCUR big thanks. I'll try that right now.

Getting noticed

Re: vMX100 Azure Cloud

@AbhilashRN@MRCUR

 

I seem to have run into this same issue.

 

I want to make sure that i am understanding this correctly. I have a couple questions.

 

1. Before I start the vMX deployment i need to create a RG and a Vnet?

2. Your step 3 ) At this point select that Vnet. What about the subnet? Does that also need to be pre-created or can that be done during the deployment? Or do i just leave that as default?

3. If i want to have the vmX in a /24, but I also want several other /24's available for VM's how do I accomplish that?

 

Very new to Azure, any help would be greatly appreciated.

 

 

Kind of a big deal

Re: vMX100 Azure Cloud

@bholmes12 I'll try to answer these as best I can from memory:

 

1) Before you deploy the vMX, you should have two resource groups. One of them should be for your servers, the other should only be for the vMX. You should also create the VNet you want the vMX to be in ahead of time and place this in the first resource group - NOT the RG that's only for the vMX. 

 

2) Pick the VNet that is in the first RG. This will be the VNet that the vMX gets an IP from. I use a dedicated subnet in the VNet just for the vMX. 

 

3) Add multiple subnets to the VNet. As an example, I use the 192.168.0.0/16 address space for my VNet. This is set on the "Address space" page under the VNet. Under the "Subnets" page, I then have multiple /24's defined (within the 192.168.X.X space). One of these I call vMX-Net and it is the /24 I use for the vMX and nothing else. 

 

One other thing - when you create the route table for the vMX, you should create this in the RG that is only for the vMX. Don't create the route table in the RG you use for other servers. After you've deployed the vMX, don't add anything else to the vMX RG. 

MRCUR | CMNO #12
New here

Re: vMX100 Azure Cloud

Hello together,

 

i have a problem to make changes at the vnet configuration. The problem is that the meraki managed application locked the thr resource group at azure. In this case a want remove the lock from the resource group but i get a error message that this change is not possible. 

 

Have anybody some ideas to solve my problem to remove the locked on the resource group. I want to move the resource to another resource group and recreating the lock.

 

Thanks for your help.

 

Best regards 

Christian

 

Kind of a big deal

Re: vMX100 Azure Cloud

@Christian87 See my post here: https://community.meraki.com/t5/Security-SD-WAN/vMX100-Azure-Cloud/m-p/12205/highlight/true#M2969

 

You cannot remove the lock on the resource group the vMX is deployed in. Because of this, you need to place the vnet in another RG. Nothing should be in the RG with the vMX as it will be locked during the deployment. You'll need to redeploy the vMX to correct this. 

MRCUR | CMNO #12
Highlighted
Conversationalist

Re: vMX100 Azure Cloud

Hi Chrsitian,

 

I just wrote a blog post on my experiences with the vMX on Azure: https://aboutnetworks.net/deploy-a-cisco-meraki-vmx-into-azure/

 

The lock is normal on this resource-group. You don't need to touch this resource-group.

 

For the static route into Azure route table, you should associate your server(s) subnet(s), not the vMX subnet as specified into the Meraki documentation.

 

I hope this helps.

Best Rgds,

Jerome

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.