Unable to connect to resources via site to site vpn using Meraki VMX100

Question

Hi.We have established a site to site vpn between our Azure Meraki vmx100 (managed Azure service/app) and our on premise mx64. Although the tunnel is up, running and passing traffic, I can't rdp to my resources in Azure.&nbsp;&nbsp;I spoke to Cisco and they confirmed my vmx100 is configured correctly and traffic is reaching the Azure resources however traffic from Azure VM is not being passed back. I need, specifically, to be able to rdp to the VMs in Azure.&nbsp;I have set up routes but obviously they are not correct or else this would be working!I have also set up network security groups allowing inbound and outbound traffic to port 3389 (rdp). When I run the connection test it tells me that access has been granted. However, when I try to rdp using the MS rdp client, I get the generic unable to connect message. When I try to rdp using the Azure rdp client, it tells me another computer has disconnected my session which is not possible since I'm the only one setting this up.&nbsp;Anyone out there that has successfully set up a Cisco Meraki VMX100 in Azure and is able to access the resources in Azure behind the vmx100?&nbsp;Thanks,Sharyn_S

irishtechie · Answer

Hi Sharyn_S,Hope you’re well.Can you confirm your route tables and that they’re connected to the correct subnets?I’m not familiar with the Meraki vmx specifically but will try to assist.Thanks

sharyn_s · Answer

IrishTechie&nbsp;My route tables look correct. I've attached a network diagram. If you look at the diagram, it's the part at the top, in azure, where the two way connection is not happening. The Azure resources are not passing traffic back to the vmx.&nbsp;According to cisco, there is 2 way communication between the azure vmx and the on premise Meraki

irishtechie · Answer

Thanks for sharing the diagram.So if I read it right Your EliteU subnet should have a route table attached that looks a bit like:- 0.0.0.0/0 &gt; Next Hop Appliance: 10.0.9.4Can you ping the internal interface of the VMX from the EliteU subnet? Can you do a tracert to the internet, Google or something and post the results? That’s assuming internet traffic is running via the VMX.Also, sorry, could you confirm your address space in your azure VNET is? As the default 10.0.0.0/16 would overlap with your on-premise.Edit: corrected as I misread diagram.

sharyn_s · Answer

IrishTechie&nbsp;The meraki vmx100 is not supposed to route to the internet. It is being used as a vpn concentrator and routes outgoing traffic to my on premises (HQ) Meraki. I am able to ping thru the vpn tunnel to the&nbsp; Hq Meraki via IP address. I am also able to ping from HQ up the tunnel to the IP address of the vmx100. The tunnel is passing traffic, the issue seems to be with the Azure resource routing to the vmx100&nbsp;I can't ping the vmx100 from the VM that I have set up. Here is the route table I have set up for the vnet/subnet that the VM I'm trying to reach is on.&nbsp;Please dont get confused by the name of the vnet. There is NO bastion attached to that network anymore. The VM that I'm trying to RDP to is part of the subnet that this table is associated to.

irishtechie · Answer

Sharyn_S&nbsp;&nbsp;Hope you are well.&nbsp;Thanks for responding. Also, thanks for sharing the screenshot of your Route Table. That is pretty much what I would expect for this configuration. It will send all traffic to the VMX (Except VNET bound traffic), your VMX then needs to decide what to do with it. So, in short, that looks fine to me.&nbsp;We need 2 more things to help diagnose the issue here. Would you mind providing me with the following:&nbsp;What address space are you using for your VNET? (I can see the subnets in a previous diagram but would like to know the overall VNET address space)Can you run some tracerts from the Azure VM and send screenshots.One tracert to an on-premise resource that you should be able to hit.One tracert to an internet based entity, whether the VM should be allowed to hit it or not.The tracerts will demonstrate that traffic is (or isn't) hitting the VMX appliance as it's next hop. This will help us narrow down where the issue lies as your route table is exactly what I would do for this setup.&nbsp;Look forward to your response.&nbsp;Thanks&nbsp;Karl

Forum Discussion

Unable to connect to resources via site to site vpn using Meraki VMX100

7 Replies

Resources