cancel
Showing results for 
Search instead for 
Did you mean: 

vMX100 in AWS - two issues

Here to help

vMX100 in AWS - two issues

Hello,

 

We've deployed a vMX100 in AWS, but seeing two issues.

 

First the good: I can connect site-to-site VPN to my other physical MX devices as a hub. AutoVPN connects very easily.

 

Issue #1: I can't connect via Client VPN to the vMX100. Seems like it's blocked somewhere, but I have Network ACLs and Security Groups allowing All Traffic to the VPN, Subnet, and Security Group.

 

Issue #2: I can ping the vMX100 from my laptop which is a client of another MX device (and is connected with AutoVPN). But I cannot ping/connect to any EC2 instances behind the vMX100. Although from an EC2 instance, I can ping my laptop. Again, I've checked the ACLs and Security Groups and I've got them as wide open as possible.

 

Any suggestions?

 

Thanks in advance for any help.

11 REPLIES 11
Head in the Cloud

Re: vMX100 in AWS - two issues

Take a look at this if you haven't already to make sure you have done all the steps.

 

https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Amazon_AWS

Kind of a big deal

Re: vMX100 in AWS - two issues

For the client VPN issue make sure you are allowing the below in the AWS rules for the vMX (assuming you are using client VPN to the vMX).

UDP/500

UDP/4500

I would also allow:

IP Protocol 50 (ESP)

 

The hosts in AWS have Windows Firewall disabled?

Here to help

Re: vMX100 in AWS - two issues

Hmm, it seems to be working today. I guess it just took time. Longer than I thought. I am going to continue testing and update later.

 

I used Ubuntu server and Windows server EC2 instances for testing. I can connect to both now.

Here to help

Re: vMX100 in AWS - two issues

Site-to-site is good now, but my Client VPN still isn't working. I'm not able to connect to the AWS Public IP.

I've checked my security groups and network ACLs. I've got them wide open inbound and outbound. No luck connecting to the public IP.

 

Kind of a big deal

Re: vMX100 in AWS - two issues

Are you sure you have enabled Client VPN on the vMX?

Kind of a big deal

Re: vMX100 in AWS - two issues

Have you tried ClientVPN from a different Internet connection?

Here to help

Re: vMX100 in AWS - two issues

Thank you for your suggestions. Yes, Client VPN is enabled. I just tried tethering my computer to my phone and connecting, but I always get the message that the remote server is not responding. I get the same message from the office, and home. I suspect it's somewhere in AWS, but not sure where.

 

Here to help

Re: vMX100 in AWS - two issues

I put a Windows EC2 instance in the same subnet as the vMX100.

Gave it a public IP, has the same security group and network ACL as the vMX100. I am able to RDP to it on its public IP. So I guess there is no network block. (I have everything wide open inbound and outbound.)

 

Does the vMX100 instance itself have a firewall or SELinux or IP filtering on it? I don't have to manually go into it, do I?

 

 

Here to help

Re: vMX100 in AWS - two issues

Wow, I can connect to the client VPN from my Android phone with the native Android VPN client.

 

So I guess I'm the problem. (Wouldn't be the first time.)

 

Kind of a big deal

Re: vMX100 in AWS - two issues

In that case, here is the Windows 10 client VPN troubleshooting guide.

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN

Here to help

Re: vMX100 in AWS - two issues

Ya, that troubleshooting guide was the lifesaver.

 

I ended up needing a registry key entry to make the Client VPN work. On a different Windows computer, I needed to change a Windows Service startup. So that troubleshooting guide was way more important/useful than I thought.

 

Thanks for your help!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.