Guest Wi-Fi tunnel back to HQ MX

TSarge
New here

Guest Wi-Fi tunnel back to HQ MX

I have a working 7 AP (MR34) deployment in our HQ.  We drop corporate traffic onto a VLAN on the internal network.  We tunnel guest wi-fi to our MX100 which is DHCP server for Guest SSID.  All is well in HQ.

 

I'd like to begin deploying APs in our branch locations.  I was told I could deploy additional MR34/MR33 APs in our branches, drop corporate traffic on the internal network, AND tunnel guest wi-fi back to our MX100 in HQ for DHCP and internet access.  I can't seem to get this to work.  Internal corporate traffic works fine.  Guest wi-fi is not working.  I am using a template to deploy both SSIDs.  Guest SSID is set for VPN to "Tunnel to "my appliance" on VLAN xxx"  Branch locations are connected via 20Mb MPLS/ELAN services, layer 3, any to any connectivity.

 

Has anyone successfully deployed guest wi-fi in this manner?  Tunneling back to an MX at another location?

7 Replies 7
RyanB
Meraki Employee
Meraki Employee

This is absolutely something you should be able to easily do, and is a very common deployment technique. 

If you press the test connectivity button when you select the VPN options on the Wireless > Access Control page does the test come back okay? -- I'm wondering if the remote AP is having a hard time building the tunnel back to your MX. 

 

 

TSarge
New here

The test fails "1 access point failed to connect to the concentrator"  SSID is set for VPN: tunnel data to a concentrator.  I only have the one MX appliance that is selected as the concentrator.  VLAN tagging is set to Concentrate traffic on VLAN XXX - Guest_WiFi.  VPN tunnel type is Full Tunnel.  All of these settings were suggested by Meraki support.

 

I have verified that the MX has a route to the network the branch AP lives on.  The "Meraki Magic" that happens in the cloud management is supposed to build the tunnel from the remote AP to the MX in my HQ, correct?  I've got to be missing something....

RyanB
Meraki Employee
Meraki Employee

It's likely that the Meraki AP and the MX can't talk somehow. 

The MX needs a route to the management IP of the AP and the reverse is true that the AP need to be able to get back to the MX. 

 

 

I would start by checking to make sure the AP can ping the MX using the Live Tools on the AP page.

If that works, I would consider any firewall in the path, etc. 

 

 

TSarge
New here

Thanks.  I've used the Live Tools to verify that the MX can ping the AP LAN IP of 10.xx.15.9, and the AP can ping the MX management IP of 10.XXX.255.223.  3ms average response time, no packet loss.  It appears they have connectivity across my WAN.  There are no firewalls between the AP and the MX.

 

This one has me stumped.  I'm very appreciative of the suggestions.  Got any more?

RyanB
Meraki Employee
Meraki Employee

Feel free to PM me your email address or a dashboard link if you want me to have a quick look.

But ultimately I'd suggest getting in contact with support who can deep dive in with you and see why this may be failing.

ColinKUK
Conversationalist

Today we have the same issue (?) with several sites; two already existing on the internal MX and two moved from a provider MX to the internal MX. The APs are connected to the internal MX but the 'tunnel' test fails. Yet, we have many other site's APs working fine on the internal MX.

 

A symptom is the Guest SSID is not broadcast.

 

If we move an AP back to the providers MX the Guest Wifi re-appears and clients get connected.

 

What was the resolution to the original post>

 

PhilipDAth
Kind of a big deal
Kind of a big deal

How does the AP talk to the MX?  Over the Internet?  Over a WAN?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels