vMX100 in AWS - two issues

KevinH
Here to help

vMX100 in AWS - two issues

Hello,

 

We've deployed a vMX100 in AWS, but seeing two issues.

 

First the good: I can connect site-to-site VPN to my other physical MX devices as a hub. AutoVPN connects very easily.

 

Issue #1: I can't connect via Client VPN to the vMX100. Seems like it's blocked somewhere, but I have Network ACLs and Security Groups allowing All Traffic to the VPN, Subnet, and Security Group.

 

Issue #2: I can ping the vMX100 from my laptop which is a client of another MX device (and is connected with AutoVPN). But I cannot ping/connect to any EC2 instances behind the vMX100. Although from an EC2 instance, I can ping my laptop. Again, I've checked the ACLs and Security Groups and I've got them as wide open as possible.

 

Any suggestions?

 

Thanks in advance for any help.

11 REPLIES 11
SoCalRacer
Kind of a big deal

Take a look at this if you haven't already to make sure you have done all the steps.

 

https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Amazon_AWS

PhilipDAth
Kind of a big deal
Kind of a big deal

For the client VPN issue make sure you are allowing the below in the AWS rules for the vMX (assuming you are using client VPN to the vMX).

UDP/500

UDP/4500

I would also allow:

IP Protocol 50 (ESP)

 

The hosts in AWS have Windows Firewall disabled?

Hmm, it seems to be working today. I guess it just took time. Longer than I thought. I am going to continue testing and update later.

 

I used Ubuntu server and Windows server EC2 instances for testing. I can connect to both now.

Site-to-site is good now, but my Client VPN still isn't working. I'm not able to connect to the AWS Public IP.

I've checked my security groups and network ACLs. I've got them wide open inbound and outbound. No luck connecting to the public IP.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you sure you have enabled Client VPN on the vMX?

Have you tried ClientVPN from a different Internet connection?

Thank you for your suggestions. Yes, Client VPN is enabled. I just tried tethering my computer to my phone and connecting, but I always get the message that the remote server is not responding. I get the same message from the office, and home. I suspect it's somewhere in AWS, but not sure where.

 

I put a Windows EC2 instance in the same subnet as the vMX100.

Gave it a public IP, has the same security group and network ACL as the vMX100. I am able to RDP to it on its public IP. So I guess there is no network block. (I have everything wide open inbound and outbound.)

 

Does the vMX100 instance itself have a firewall or SELinux or IP filtering on it? I don't have to manually go into it, do I?

 

 

Wow, I can connect to the client VPN from my Android phone with the native Android VPN client.

 

So I guess I'm the problem. (Wouldn't be the first time.)

 

PhilipDAth
Kind of a big deal
Kind of a big deal

In that case, here is the Windows 10 client VPN troubleshooting guide.

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN

Ya, that troubleshooting guide was the lifesaver.

 

I ended up needing a registry key entry to make the Client VPN work. On a different Windows computer, I needed to change a Windows Service startup. So that troubleshooting guide was way more important/useful than I thought.

 

Thanks for your help!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels