Forum Discussion

Sharyn_S's avatar
Sharyn_S
Copper Contributor
Oct 21, 2020

Unable to connect to resources via site to site vpn using Meraki VMX100

Hi. We have established a site to site vpn between our Azure Meraki vmx100 (managed Azure service/app) and our on premise mx64. Although the tunnel is up, running and passing traffic, I can't rdp to...
IrishTechie's avatar
IrishTechie
Brass Contributor
Oct 21, 2020
Hi Sharyn_S,

Hope you’re well.

Can you confirm your route tables and that they’re connected to the correct subnets?

I’m not familiar with the Meraki vmx specifically but will try to assist.

Thanks
Sharyn_S's avatar
Sharyn_S
Copper Contributor
Oct 21, 2020

IrishTechie 

My route tables look correct. I've attached a network diagram. If you look at the diagram, it's the part at the top, in azure, where the two way connection is not happening. The Azure resources are not passing traffic back to the vmx.

 

According to cisco, there is 2 way communication between the azure vmx and the on premise Meraki

  • IrishTechie's avatar
    IrishTechie
    Brass Contributor
    Oct 21, 2020
    Thanks for sharing the diagram.

    So if I read it right Your EliteU subnet should have a route table attached that looks a bit like:

    - 0.0.0.0/0 > Next Hop Appliance: 10.0.9.4

    Can you ping the internal interface of the VMX from the EliteU subnet? Can you do a tracert to the internet, Google or something and post the results? That’s assuming internet traffic is running via the VMX.

    Also, sorry, could you confirm your address space in your azure VNET is? As the default 10.0.0.0/16 would overlap with your on-premise.

    Edit: corrected as I misread diagram.
    • Sharyn_S's avatar
      Sharyn_S
      Copper Contributor
      Oct 21, 2020

      IrishTechie

       

      The meraki vmx100 is not supposed to route to the internet. It is being used as a vpn concentrator and routes outgoing traffic to my on premises (HQ) Meraki. I am able to ping thru the vpn tunnel to the  Hq Meraki via IP address. I am also able to ping from HQ up the tunnel to the IP address of the vmx100. The tunnel is passing traffic, the issue seems to be with the Azure resource routing to the vmx100

       

      I can't ping the vmx100 from the VM that I have set up. Here is the route table I have set up for the vnet/subnet that the VM I'm trying to reach is on.

       

      Please dont get confused by the name of the vnet. There is NO bastion attached to that network anymore. The VM that I'm trying to RDP to is part of the subnet that this table is associated to.

      • IrishTechie's avatar
        IrishTechie
        Brass Contributor
        Oct 22, 2020

        Sharyn_S 

         

        Hope you are well.

         

        Thanks for responding. Also, thanks for sharing the screenshot of your Route Table. That is pretty much what I would expect for this configuration. It will send all traffic to the VMX (Except VNET bound traffic), your VMX then needs to decide what to do with it. So, in short, that looks fine to me.

         

        We need 2 more things to help diagnose the issue here. Would you mind providing me with the following:

         

        • What address space are you using for your VNET? (I can see the subnets in a previous diagram but would like to know the overall VNET address space)
        • Can you run some tracerts from the Azure VM and send screenshots.
          • One tracert to an on-premise resource that you should be able to hit.
          • One tracert to an internet based entity, whether the VM should be allowed to hit it or not.

        The tracerts will demonstrate that traffic is (or isn't) hitting the VMX appliance as it's next hop. This will help us narrow down where the issue lies as your route table is exactly what I would do for this setup.

         

        Look forward to your response.

         

        Thanks

         

        Karl

Resources