Meraki

Community

vMX100 in AWS - two issues

KevinH
Here to help
‎May 14 2019 7:47 PM
‎May 14 2019 7:47 PM

vMX100 in AWS - two issues

Hello,

 

We've deployed a vMX100 in AWS, but seeing two issues.

 

First the good: I can connect site-to-site VPN to my other physical MX devices as a hub. AutoVPN connects very easily.

 

Issue #1: I can't connect via Client VPN to the vMX100. Seems like it's blocked somewhere, but I have Network ACLs and Security Groups allowing All Traffic to the VPN, Subnet, and Security Group.

 

Issue #2: I can ping the vMX100 from my laptop which is a client of another MX device (and is connected with AutoVPN). But I cannot ping/connect to any EC2 instances behind the vMX100. Although from an EC2 instance, I can ping my laptop. Again, I've checked the ACLs and Security Groups and I've got them as wide open as possible.

 

Any suggestions?

 

Thanks in advance for any help.

0 Kudos
11 Replies 11
SoCalRacer
Kind of a big deal
‎May 15 2019 7:48 AM
‎May 15 2019 7:48 AM

Take a look at this if you haven't already to make sure you have done all the steps.

 

https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Amazon_AWS

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 15 2019 3:25 PM
‎May 15 2019 3:25 PM

For the client VPN issue make sure you are allowing the below in the AWS rules for the vMX (assuming you are using client VPN to the vMX).

UDP/500

UDP/4500

I would also allow:

IP Protocol 50 (ESP)

 

The hosts in AWS have Windows Firewall disabled?

0 Kudos
In response to PhilipDAth
KevinH
Here to help
‎May 16 2019 7:48 AM
‎May 16 2019 7:48 AM

Hmm, it seems to be working today. I guess it just took time. Longer than I thought. I am going to continue testing and update later.

 

I used Ubuntu server and Windows server EC2 instances for testing. I can connect to both now.

0 Kudos
In response to KevinH
KevinH
Here to help
‎May 16 2019 11:38 AM
‎May 16 2019 11:38 AM

Site-to-site is good now, but my Client VPN still isn't working. I'm not able to connect to the AWS Public IP.

I've checked my security groups and network ACLs. I've got them wide open inbound and outbound. No luck connecting to the public IP.

 

0 Kudos
In response to KevinH
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 16 2019 11:57 AM
‎May 16 2019 11:57 AM

Are you sure you have enabled Client VPN on the vMX?

0 Kudos
In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 16 2019 11:57 AM
‎May 16 2019 11:57 AM

Have you tried ClientVPN from a different Internet connection?

0 Kudos
In response to PhilipDAth
KevinH
Here to help
‎May 16 2019 12:09 PM
‎May 16 2019 12:09 PM

Thank you for your suggestions. Yes, Client VPN is enabled. I just tried tethering my computer to my phone and connecting, but I always get the message that the remote server is not responding. I get the same message from the office, and home. I suspect it's somewhere in AWS, but not sure where.

 

0 Kudos
In response to KevinH
KevinH
Here to help
‎May 16 2019 1:15 PM
‎May 16 2019 1:15 PM

I put a Windows EC2 instance in the same subnet as the vMX100.

Gave it a public IP, has the same security group and network ACL as the vMX100. I am able to RDP to it on its public IP. So I guess there is no network block. (I have everything wide open inbound and outbound.)

 

Does the vMX100 instance itself have a firewall or SELinux or IP filtering on it? I don't have to manually go into it, do I?

 

 

0 Kudos
In response to KevinH
KevinH
Here to help
‎May 16 2019 1:58 PM
‎May 16 2019 1:58 PM

Wow, I can connect to the client VPN from my Android phone with the native Android VPN client.

 

So I guess I'm the problem. (Wouldn't be the first time.)

 

In response to KevinH
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 17 2019 12:50 PM
‎May 17 2019 12:50 PM

In that case, here is the Windows 10 client VPN troubleshooting guide.

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN

In response to PhilipDAth
KevinH
Here to help
‎Jun 19 2019 5:37 PM
‎Jun 19 2019 5:37 PM

Ya, that troubleshooting guide was the lifesaver.

 

I ended up needing a registry key entry to make the Client VPN work. On a different Windows computer, I needed to change a Windows Service startup. So that troubleshooting guide was way more important/useful than I thought.

 

Thanks for your help!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.