Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Become a member of the Cisco Meraki Community today
Get answers from our community of experts in record time.
Join now- About Bartounet
About Bartounet
Bartounet
Here to help
Member since Oct 5, 2024
Friday
Community Record
7
Posts
3
Kudos
0
Solutions
Badges
Friday
Hello, We would like to implement full traffic routing from one of our remote sites (behind an MX68) to a Public WiFi provider through an existing IPsec VPN tunnel established in our central datacenter. Current Architecture Remote site connected via SD-WAN (AutoVPN) to our central site Remote MX: MX68 (Spoke) Central MX: MX250 (Hub) Remote site LAN subnet: 192.168.50.0/25 IPsec tunnel (Datacenter ↔ Public WiFi Provider) Remote provider subnet behind IPsec: 172.21.0.0/30 Provider cloud equipment IP: 172.21.0.2 Current Status Traffic from the remote site (192.168.50.0/25) successfully reaches the central site through SD-WAN (AutoVPN). From the central site, traffic properly traverses the IPsec tunnel. We can successfully reach the provider subnet (172.21.0.0/30) from the remote site. End-to-end connectivity between 192.168.50.0/25 and 172.21.0.0/30 is working correctly. Requirement The Public WiFi provider will soon enforce traffic filtering. Therefore, we must redirect all traffic originating from the remote site subnet (192.168.50.0/25) to the provider’s cloud equipment (172.21.0.2) through the existing IPsec tunnel. In other words, we need to implement a source-based default route so that all outbound traffic from 192.168.50.0/25 uses 172.21.0.2 as next hop via the IPsec tunnel. Issue Encountered When attempting to configure a source-based default route on the MX, we receive the following error: "There were errors in saving this configuration: The source-based route 'UCOPIA' has an invalid next hop IP. The IP address 172.21.0.2 is not on a configured subnet." It appears that the MX does not accept 172.21.0.2 as a valid next hop because it is not part of a locally configured subnet, even though it is reachable via the IPsec VPN. Main Problem We are unable to redirect all traffic from 192.168.50.0/25 to 172.21.0.2. Route with 172.21.0.0/30 is kown and work with a ping !!!!
... View more
Mar 12 2025
9:10 AM
Mar 12 2025
8:47 AM
3 Kudos
I am sorry Any woks ( do not forget A Capital Letter ..)
... View more
Mar 12 2025
8:45 AM
Thanks for answer. Yes it is an error subnet is 10.10.84.0/25 0.0.0.0/0 is not authorized any is not authorized
... View more
Mar 12 2025
7:59 AM
Hello. I have an MX with two WANs. I'd like an entire local network to always go through WAN1. I don't understand the destination network to specify. It doesn't accept 0.0.0.0/0 we cannot set ANY !!
... View more
Oct 6 2024
3:38 AM
Ok thanks a lot I will try these manipulations I still find it poorly thought out... My 51 networks are impacted... and on most of them I have never had MT or MR and even MS... But it asks me to update the firmware on these sites... Frankly a simple update filter would be enough
... View more
Oct 5 2024
3:22 AM
Good morning I find the firmware management unusable In fact, in the firmware to be updated, equipment is displayed on sites which do not contain this equipment!! For example, it shows me MT sensor updates on sites that do not contain them... Management is not at all practical
... View more
Labels:
- Labels:
-
Firmware upgrades
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 3 | 1289 |
© 2026 Cisco Systems, Inc.
