I did this yesterday.   We have an Meraki vMX in Azure. We couldnt detach the Basic IP from it since it was locked. It was deployed about 2,5 years ago.   We have a Site 2 Site from Azure vMX to onprem Meraki and also from Azure vMX to onsite Fortigate.   And we also use AnyConnect for User VPN.   Here is what we did. Remove appliance from Network in Meraki Dashboard. Then we was able to add vMX in the same Network. We added it.   Create vMX in Azure, put it in the same Subnet as the old one. It got a new internal IP from that Subnet.   In Azure change the Route Table so that Next Hop IP Address points to the new IP-address of the vMX.   Activate Hub in Site 2 Site VPN in Meraki Dashboard for the Meraki vMX.   Create an NSG in Azure for the vMX. Created two Inbound Rules. RULE 1 for Site 2 Site with Fortigate: Source: Any (or public ip in Fortigate site) Source port ranges: * Destination: IP Addresses Destination IP addresses/CIDR ranges: The vMX internal IP Address Service: Custom Destination port ranges: 500,4500 Protocol: UDP Action: Allow Priority: 100   RULE 2 for AnyConnect: Source: Any Source port ranges: * Destination: IP Addresses Destination IP addresses/CIDR ranges: The vMX internal IP Address Service: HTTPS Destination port ranges: 443 Protocol: TCP Action: Allow Priority: 110   The vMX had the same DNS-name in Meraki Dashboard as before.   Deleted the old Managed Application in Azure.   Thats pretty much all. ... View more

Great answer. 🙂 That gave me some hope. Thank you again. ... View more

I was afraid of that. 😞 Thank you for the answer. ... View more

Hi! We have Windows Server 2016 and MS Network Policy Server installed. All ports are for now opened, in and out.   The Network contains of one Hub and multiple Spoke. This MX is a spoke.   All MX have a VPN connection to our servercloud where the Network Policy Server is. It's an VMWare Edge, so Non-Meraki Site to Site VPN.   There are no event logs with those eventIDs on the Policy Server.   The MX can ping the Policy Server both on LAN and on Internet. ... View more

Delete. Wrong post. ... View more

Thanks, I will look at that. Right now nothing works. I can't even connect with Cloud Authentication.   Have setup this a few times before but this setup is haunted by evil spirits or something.   Maybe it is my clients thats is the problem. But I can connect to other Meraki VPN.   Need to start over and verify every step. ... View more

Have tried ping from MX to internal Radius-server with success. When I capture from LAN while trying to connect I get nothing about radius in the log.   When the client is trying to connect it fails right away with error. ... View more

Hi!   I have a bunch of sites and one Hub-site.   Hub-site is 10.10.10.0/24   Then I have following Spoke-sites Site 2: 10.10.111.0/24 Site 3: 10.10.112.0/24 Site 4: 10.10.113.0/24 And so on....    All sites are connected to our cloud-servers through a Non Meraki Site-to-Site VPN.   Cloud-servers are at 10.10.9.0/24 All Spoke-sites are connected to the Hub-site and can access the network there.   Our MG21-solution is on 10.10.124.0/24 This site can access the Hub-site but cannot establish a Non Meraki VPN to our Cloud.   I set Default route to Hub-site and then tried to add a route from Hub-site to 10.10.9.0/24 but it generated an error saying that 10.10.9.0/24 route is already in use by the Non Meraki VPN.   I guess I should have done my homework before ordering this product.   Maybe with a new SIM-card to remove the double NAT would solve it. Or your solution with an VPN concentrator hub, even though that seems like overkill just to get one small site up and running. Im not sure our Cloud would approve that.   Pretty stuck now. ... View more