Azure vMX anyconnect clients to Azure resources

Here to help

Azure vMX anyconnect clients to Azure resources

I seem to have an issue when we deploy a vMX at Azure.
It spins up without any issues and L2L auto VPN works fine, we deploy AnyConnect VPN at it and can reach all the spokes and hubs from it with no issues.... but....


When you try to reach any Azure resources I can't see the traffic ever leaving any other interface than the AnyConnect VPN interface when I do a packet capture, and the client doesn't get any replies... ( of course )

Is there some routing needed on the vMX to get that to work, or is it so that the 3rd part responsible for Azure setups have missed something in routing on Azure side... ( I don't have access to that part at this customer... )


Azure anyconnect VPN net
MX IP at azure ( 1 interface outside )
Azure resources ( .5 for target for testing)

( yeah fake IP series used for this example 😉

Kind of a big deal
Kind of a big deal

Is the VPN client IP range allowed in the network security group on Azure?

They ( 3rd party -  that has access not me ... ) claim so yes and a route in the Meraki resource group pointing the VPN client net behind the IP on the device. 

Kind of a big deal
Kind of a big deal

Have you added the Azure subnets to the "local networks" page on the VMX?


Do the Azure subnets show up in the VMX route table?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.