- About Pugmiester
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Pugmiester
Getting noticed
Member since May 9, 2018
10-19-2020
Community Record
77
Posts
19
Kudos
4
Solutions
Badges
09-29-2020
07:18 AM
I've had this on the back burner for a couple of weeks for one reason or another but am back at it today. Something I've noticed, and I don't remember seeing before, is that the vMX seems to be performing NAT on the traffic that passing between the subscriptions. A quick recap, our network in Azure looks a little like this - Sub A > Sub B < Sub C. A and C are VNET peered to B and each have a local route table for our SD-WAN subnets associated pointing to the LAN IP of the vMX in Sub B. Sub B hosts the vMX and is happily talking to our SD-WAN. It's also passing traffic from any client across the SD-WAN through SUB B and onto servers in Sub A or Sub C with no issues at all. Our problem lies in getting traffic between Sub A and Sub C. What I noticed today is that although I can ping from A to C, the packet capture on the vMX as well as the destination server (tcpdump) shows it being NAT'd and the source showing as the vMX LAN IP instead of the source server. The source server gets a reply so on the face of it connectivity seems to be working but if I hop up the stack with an HTTP connection, the same NAT appears to happen on the vMX and I even see a reply to the vMX LAN IP but then the vMX seems to have no idea what to do it it and the traffic never reaches the initial source machine. I didn't think a vMX in one armed concentrator mode (that's the only choice you get with a vMX in Azure) was supposed to perform NAT at all. It's really confusing.
... View more
09-10-2020
03:22 AM
Having done a little more testing this morning, I can confirm that if I remove the user assigned route table from one of the peers, it's then only able to reach the internet or the hub subscription, thanks to the route put in place by Azure when the peering connection is brought up. Using the check box to allow "Configure gateway transit settings" make no difference to those routes. The last remaining peering option on the list is "Configure Remote Gateway settings" but that's greyed out because Azure doesn't believe the remote virtual network has a gateway. It seems the vMX isn't classified as a gateway. I'm still not sure if that would make a difference or not but I will continue to dig and Google.
... View more
09-10-2020
01:54 AM
Hi Philip, thanks for the quick reply. We have indeed. Each of the Azure subnets we're making available over SD-WAN has an entry on the vMX and for traffic to/from any of our SD-WAN office locations, to/from any of the Azure subscriptions, we have end to end connectivity passing through the vMX and onto the relevant peered subscriptions. Where we seem to be getting stuck is passing traffic between 2 subs that are peered with the vMX Sub B. Each sub has a local route table attached to the relevant server subnet and these point to the LAN IP of the vMX as the next hop. The peering connection between the subs seems to make sure that connectivity is working. If I send traffic from Sub A to Sub C, the next hop leaving Sub A will be the vMX LAN IP and the vMX sees that traffic arrive in a packet capture but it never sees a response. The destination machine in Sub C (A linux box for simplicity, and tcpdump) never sees the packets arrive if they are coming from another Azure peered sub but has no issues if the source of traffic is from an SD-WAN connected location. But, you may have just sent me in a different direction... The Meraki Azure vMX setup guide has you creating a route table to attach to the vMX subnet but it doesn't mention having to do that anywhere else. I've assumed, up to this point, that I would have to add a route table individually to each peered subscription subnet but I now wonder if in fact all I need is to activate the gateway transit option and don't try to force traffic across the connection with an attached route table. OK, that's at least something I can test, I think, without breaking too many things. But I need another coffee first. Will report back as soon as I've updated things.
... View more
09-09-2020
08:46 AM
Hi all, apologises for the rather large post but it's a complicated beast. We have a vMX up and running in Azure (following the Meraxi Azure vMX guide) and it's happily passing traffic from our physical SD-WAN boxes into and out of a number of Azure subscriptions peered to it but as we're migrating more services into Azure I've run across an issue that's frankly driving me bonkers. Our setup looks a bit like this :- Sub A <-- VNET Peering --> Sub B (The Hub, vMX lives here) <> SD-WAN to our on-premise locations Sub C <-- VNET Peering --> Sub B Sub D <-- VNET Peering --> Sub B etc... Our issue came to light as we started trying to access a service by passing through Sub B, for example a DNS server in Sub C. Traffic to or from the SD-WAN is no issue at all, but from Sub A or D the DNS traffic (or HTTP for a second simple test) goes to ground. Frustratingly, our trusted test tools ping and traceroute "just work"... Grrrr If I spin up a temporary Linux box with HTTP and DNS in SUB B, Sub A, C and D can all reach it as well as any location connected over SD-WAN. Looking at the Effective Route Table for a server in Sub A, it seems traffic that's using the "Default" peer route out of Sub A to Sub B is happy, but traffic that's using the "User" route table to get it to the vMX in Sub B seems to fail. The vMX see the traffic arrive in a local packet capture but then it never reaches the destination or sees any response which makes me think that maybe the vMX is getting in the way but for the life of me I can't see how. Of course the simple answer is just move the servers we need into Sub B but rebuilding our multi-layered ADFS setup in a new subscription (currently in a a Sub that's connected to our WAN using a very expensive ExpressRoute link we would like to kill) fills me with dread so I'd rather just peer it in but the DNS servers that also sit in that Sub are being relied on by the other Azure hosted subscriptions so everything dies when we do. "It's always DNS" after all. I spent an hour and a half on a call with MS support this morning getting packet captures which seem to have failed to catch the traffic in question so while I try to work out why, I thought I'd ask the awesome Meraki community to see if anything jumps out at anyone.
... View more
08-30-2020
01:02 AM
Thanks @PhilipDAth, That's whati was hoping.
... View more
08-28-2020
06:14 AM
Hi @PhilipDAth, We've just hit a roadblock trying to peer a couple of third party managed subscriptions to an existing subscription created especially for the purpose of being a hub running a vMX. The "experts" doing the work have just told use the setup they have build wont work and we have to build something they "think" is called a transit gateway. I'm more than a little frustrated after weeks of me Googling the answers for their "experts". But I digress. Would I be right in thinking that you can still deploy a vMX into a transit gateway account to be able to peer with the rest of our SD-WAN?
... View more
07-08-2020
03:04 AM
2 Kudos
One option you could look at, is using a secondary MX at your hub site (Main-MX location) to manage the ASA VPN link. That way, you can add a static route onto the Main-MX pointing to the VPN MX and that will allow you to publish the remote ASA subnets into SD-WAN. There's a great example walk through of this by Aaron Willette https://www.willette.works/merging-meraki-vpns/ We use this approach to bring in a couple of third party locations that need to reach services on site but are not part of our Meraki deployment.
... View more
07-06-2020
07:44 AM
Thanks Philip, will take a look. I'm sure I'm just overthinking the problem. The eventual plan, once Meraki figure out the legal minefield, is to hook them up with a HA pair of MX's like every other site we have in EMEA but for the foreseeable future we cannot legally deploy any Meraki hardware to the country at all so we're stuck with whatever we can legally purchase in country, hoping it can support a reasonable security level, and try to connect that back to civilisation as best we can.
... View more
07-06-2020
06:31 AM
It was the Azure side of things that I managed to get confused so just removing the vMX and redeploying worked for me.
... View more
06-22-2020
04:03 AM
Hi all, We're almost at the end of our EU wide SD-WAN rollout (only around 30 sites but still...) and as I'm sure anyone who's ever done this will know, with Meraki "it just works" 🙂 We have a remaining office site that for current political reasons we can't deploy any Meraki hardware to site. We are looking at a simple third party VPN link (Probably using a locally sourced ASA) into a spare MX using the excellent reference article from Aaron Willette (https://www.willette.works/merging-meraki-vpns/) which we've already used to great success for an actual third party that needs access to an internal resource. I'm hoping to build a pair of 3rd party VPN links so we don't have a single point of failure but getting traffic flowing over the right VPN link seems like a challenge as each of the corporate LAN MX's would publish the same static route into the SD-WAN pointing to their local 3rd party MX. I have a vague recollection that it's possible to do some element of traffic steering using over the SD-WAN using the priority of the hub's that a spoke connects to but I don't think that's possible between hubs. Am I just overthinking the whole situation?
... View more
06-16-2020
01:22 AM
1 Kudo
I thought I would add one final update for anyone stumbling across this post in the future. There's a Meraki support document for the SD-WAN that clearly lists the ports needed for connections to both the dashboard and Auto-VPN peers. Somehow, all of my Googling never brought me to this page so I'm including the details plus the link below for future reference. Ports used to contact the VPN registry: Source UDP port range 32768-61000 Destination UDP port 9350 Ports used for IPsec tunneling: Source UDP port range 32768-61000 Destination UDP port range 32768-61000 https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN
... View more
06-12-2020
03:28 AM
Hi @PhilipDAth, thanks for the sanity check. I'm still confused how it's ever worked without the allowed inbound traffic but I'm working on a change plan for the AWS guys to open up the inbound firewall rules.
... View more
06-10-2020
02:11 AM
Hi all, We've had a vMX up and running in AWS since the middle of April but somewhere around the early hours of June 6th it dropped all of the SD-WAN links. It's not in PROD yet so we didn't pickup a monitoring alert. Anyway, we still have dashboard access and neither a vMX or AWS Instance restart has not shaken it back into life but something hit me while I'm trying to figure out what's going on. The AWS Security Group is built from the dashboard recommended firewall rules for the site as recommended in the AWS vMX setup guide, including all the usual suspects for dashboard access, you know all the funky UDP ports and the like, but that gives you no ports I would have thought needed for IPSec (4500, 500, etc). I kinda assumed the dashboard did uber magic and the fact it was working made me suspect that was the case but maybe the initial setup had less rules on SG and the connections were up before it closed off the doors. I know this is something that should make sense but I'm way down on my coffee supply this morning. Should we have more outbound/inbound rules in place the IPSec links that the SD-WAN needs to operate?
... View more
04-20-2020
07:51 AM
That's the sort of answer I was hoping for 🙂 It seemed odd that it wouldn't be easier to build up an HA setup if it was really needed.
... View more
04-20-2020
07:47 AM
Hi all, We're on the verge of moving some connections into production using the vMX in Azure / AWS but the lack of an HA configuration, such as what you can build with the physical hardware, makes me a little nervous. I've seen the scripted AWS failover system put together by @PhilipDAth but I was wondering what you're experiences have been like as far as reliability with a single appliance. Is the underlying infrastructure generally reliable enough to stick with a single vMX or would you recommend the extra layer of complexity of a second appliance and some sort of user built routing/failover in AWS and Azure (unsure even how yet)? Thanks all.
... View more
04-09-2020
01:42 AM
Ironically, the setup we did in Azure to test came up almost straight away. Untangling the right options and getting things in the right NSG to start with is more of a challenge there and as you can't change the vMX appliance once it's deployed it meant we had to tear it down and rebuild it again but once we had that done it was up and running.
... View more
04-08-2020
12:27 AM
1 Kudo
Hi @JamesC_AB, It seems you were spot on. The update from Meraki overnight was that they changed something in the back-end of the dashboard and now it's all working without any changes on this end despite them being sure it was a firewall issue on our side. Anyway, we're up and running. Thanks all for the suggestions.
... View more
04-01-2020
08:19 AM
Hi all, I must be missing something here because it just can't be this hard. The EC2 instance is up and running (using the Meraki setup guide - https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Amazon_AWS) and using the "customer data" from the authentication token. We can reach the appliance's public IP (we have a rule allowing port 80 inbound temporarily to troubleshoot) and it confirms internet access but no connection to the dashboard over port 7734. However, AWS flows confirm it's sending and receiving data from the dashboard over port 80 and port 7734 but it just will not phone home and show up in the dashboard at all. What have I missed?
... View more
02-26-2020
01:59 AM
2 Kudos
Thanks, I was thinking it might be the later and powering down the AP would be the way to go. It's certainly an absolute case of no WiFi being available. Time to start planning for the end of the work day I think.
... View more
02-26-2020
01:14 AM
Hi all, We're having some really strange WiFi drop off / roaming issues on one of our sites (obviously, my site and none of the other 28 we have across Europe 😞 ) that appear completely random across different client manufactures, drivers versions, you name it. There's no pattern I can find to the disconnections so I'm going round and round in circles with it. However, one stand out difference we have with this particular building is a lot of AP's. We spammed the building with no wireless survey and have 34 AP's over 3 floor, including a conference centre that sees meetings of up to 80-100 people (then of course 100 laptops, plus 100 iPhones, plus 100 personal phones,etc...). I've made changes over the last 3-4 months to the RF Profiles to allow the AP's to adjust their settings as far as possible and we're seeing some of them powering down to 2dB which is suggesting there is more overlap between them than we probably should have. So, this brings me to the point of the question, to try to assess if we do in fact have way too much overlap, I'm looking at disabling a few of the AP's to see what that does to the remaining AP settings and coverage and I'm trying to figure out if I simply disable the SSIDs from an AP, does that shut down the antenna completely. If I switch the SSID to "deploy SSID by TAG", and drop the tag on a few of the AP's does that shut down the radios as well or do I need to power them down completely?
... View more
12-11-2019
02:08 AM
We're up and running but not without having to tear down the initial installation and start from scratch. That was rather convoluted as well but eventually I managed to unpick it and remove all of the newly created resource groups and the vMX. I had to create a new dedicated subnet in our primary resource group and VNET to be able to attach the vMX LAN interface to which then made it available on the list when building the new vMX. The other subnet I was trying to connect to initially, has been configured as the Azure gateway subnet which seems to exclude it from the selection list. Yeah, I don't know anywhere near enough about Azure to fully understand how all the widgets hang together. It seems overly complicated coming from a physical hardware world but I think it makes enough sense to me now to be able to reproduce this in production when we need to.
... View more
12-05-2019
02:22 AM
I've just run up against the same issue deploying a vMX. The process never made sense beforehand (I'm in no way any sort of Azure expert) so I just presumed it was my physical world thinking but I don't recall having any options at all to select a subnet/vnet outside the vMX's new resource group. In theory, peering the VNET's should be trivial but I'm hitting a permissions error that we can't make sense of so I've bounced it back to our Meraki sales contact to see if they can help unravel what's happening.
... View more
11-18-2019
06:54 AM
1 Kudo
OK, That's really strange. The internet connection troubleshooting sent me down a particular path and I remembered that many years ago, the subnet we had from our ISP was split into two halves with one half being NAT'd on our old Checkpoint firewall, and the second half of the subnet routed through the Checkpoint. No idea how, I never saw the config. However, switching to 3 IP addresses in the original lower half of the range has the MX's happy again. It's bizarre as there are services using the upper half without issues.. But anyway, we are up and running.
... View more
11-18-2019
06:29 AM
Thanks for confirming. That's what I was hoping. I'll run through the connection check docs to confirm what I can see. We do have some 1:1 NAT on the HA pair for some locally hosted services but I've confirmed there are no overlapping addresses. The 2 IP's (will be a third for HA once I get basic comms working) are free of any other configuration and I don't think we have ever used them.
... View more
11-18-2019
03:40 AM
Hi all, Before I go completely bonkers, can I run a question by you all to see if I'm in fact trying something impossible. We have an existing MX HA setup on site that's happily running and providing SD-WAN links to an expanding number of our offices but we are looking to move some third party IPSec VPN links over to our Meraki infrastructure as well. To help separate out the traffic from our SD-WAN (We don't need everyone to know about the links, they are for single local services), we're following this article - https://www.willette.works/merging-meraki-vpns/. It makes sense and I've most of the infrastructure up and running with the exception of the primary WAN link. I'm trying to use 3 additional IP's from our available public subnet but the IPSec MX's seem to not want to use them and keep falling back to WAN2. They are part of the same public subnet assigned to interfaces on the HA MX's and I'm half thinking this is the cause. I'm not seeing any errors but they just don't seem to want to use the primary WAN connection. There's a mention in the article about needing a separate organisation for the VPN link to avoid any VPN subnet overlaps but the impression I got from this was avoiding overlaps between third party subnet and a subnet on the SD-WAN but it's not clear. Can anyone confirm if this should be possible or am I going to have to look at a separate organisation?
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 162 | 06-16-2020 01:22 AM | |
| 1047 | 11-13-2018 07:35 AM | |
| 2212 | 10-31-2018 07:05 AM | |
| 1078 | 07-06-2018 05:23 AM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 216 | |
| 2 | 921 | |
| 2 | 5307 | |
| 2 | 4795 | |
| 1 | 162 |
