It's a better design to use Azure DNS anyways because of cloud availability vs. relying on and old server onsite so that makes sense.   If you remove the DNS from powershell, the windows PC should just follow normal networking rules and grab the DNS from whatever you specify on the vMX100.    There must be something up with your powershell script if it keeps assigning the onsite DNS server or maybe you have it defined and or hard-coded on the NIC?  The vMX100 should be assigning the onsite one, maybe try setting up the VPN client manually instead of using powershell as a test and see if you get different behavior.  ... View more

Are you using Azure Server DNS or back to your onsite DNS server?  The internal Azure DNS should just work. If it isn't can you ping that address?  If you can ping it then you might be looking at the issue I had originally with the regedit.  If you can't ping it maybe it's the Azure routing tables.   If you're using your onsite DNS server you need to also allow that local traffic back to the meraki when you're split tunneling.  On powershelll I think you'd need to add another destination.  In this scenario lets just say 192.168.128.0/24 is Azure and 192.168.100.0/24 is your old network with your onsite DNS server.   You'd need to route both private networks back to the vMX100.  Hope that makes sense.   $Destination = "192.168.128.0/24" Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination $Destination = "192.168.100.0/24" Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination ... View more

@PhilipDAth that's what's worked for me in the past.  Just let the vMX100 assign it vs. the poweshell script.    ... View more

Can you specify on the vMX100?   Security & SD-WAN > Client VPN > "Custom nameservers" and enter IP of local DNS server? ... View more

Just a though - why not put a DNS server in Azure and assign it dynamically under "Custom nameservers" instead of trying to distribute DNS via powershell?    Alternatively you could just use an existing internal DNS server and dynamically assign it as long as your client can get from the Meraki back to that internal DNS server that already exists.  That should work assuming you have an MX or something in-front of the non-cloud internal DNS server onsite and it's reachable over VPN.  The first option is probably better because it wouldn't require that link to be up but I think either would work. ... View more

You're right about Azure, based on what I've seen they currently don't want you sending the internet traffic back over the link so it doesn't NAT outbound for remote traffic.  They might have allowed it in the early days with the vMX when there was more than one interface but it doesn't look like an option now. ... View more

This has worked pretty well for us, maybe someone will jump in and offer more options.  You need to use your server address for public IP, connection name VPN whatever you want, the pre-shared key from the MX setup and the local network is the destination.  I am not sure why more people haven't shared, maybe they're holding out for Meraki to make an SSL VPN client or something more simple to deploy.  If anyone has any good group policy deployment guides with powerhsell scripts specific to the Meraki VPN and would share that would be great....   You need to copy and paste this as admin in poweshell after you've adjusted for your own network   Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent AssumeUDPEncapsulationContextOnSendRule -Type DWord -Value 2 -Force $ServerAddress = "x.x.x.x" $ConnectionName = "VPN" $PresharedKey = "presharedkey" $Destination = "192.168.128.0/24" Add-VpnConnection -Name "$ConnectionName" -ServerAddress "$ServerAddress" -TunnelType L2tp -L2tpPsk "$PresharedKey" -AuthenticationMethod Pap -Force Set-VpnConnection -Name $ConnectionName -SplitTunneling $True Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination ... View more

We've found it useful to just allow certain countries rather than deny a huge list.       ... View more

Progress, I can now connect!  I can also connect locally to hosts on the Azure environment, but my internet is not working. A trace reveals second hop to be a public IP but can't get past it.   I think I read something about Azure not allowing outbound internet traffic from VPN clients, so I'll manually add routes to bypass the default behavior of full tunnel and see if that works...will update after testing is complete.   ... View more

Thanks for this info, I noticed you referenced your case below. I gave that to support since they haven't been of much help. What I've noticed (Site to Site to vShield VMware firewall) with third party VPN - Internet on both sides up - Third party firewall is in a private cloud with multiple carriers - Meraki Auto-VPN's don't drop - I can kick the tunnel off by booting the Meraki - It recovers on its own after about 8 minutes - Event logs always have "Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up" but nothing really useful. Thanks for referencing your case I hope that helps and they dig something up ... View more