Forum Discussion
Unable to connect to resources via site to site vpn using Meraki VMX100
The meraki vmx100 is not supposed to route to the internet. It is being used as a vpn concentrator and routes outgoing traffic to my on premises (HQ) Meraki. I am able to ping thru the vpn tunnel to the Hq Meraki via IP address. I am also able to ping from HQ up the tunnel to the IP address of the vmx100. The tunnel is passing traffic, the issue seems to be with the Azure resource routing to the vmx100
I can't ping the vmx100 from the VM that I have set up. Here is the route table I have set up for the vnet/subnet that the VM I'm trying to reach is on.
Please dont get confused by the name of the vnet. There is NO bastion attached to that network anymore. The VM that I'm trying to RDP to is part of the subnet that this table is associated to.
Hope you are well.
Thanks for responding. Also, thanks for sharing the screenshot of your Route Table. That is pretty much what I would expect for this configuration. It will send all traffic to the VMX (Except VNET bound traffic), your VMX then needs to decide what to do with it. So, in short, that looks fine to me.
We need 2 more things to help diagnose the issue here. Would you mind providing me with the following:
- What address space are you using for your VNET? (I can see the subnets in a previous diagram but would like to know the overall VNET address space)
- Can you run some tracerts from the Azure VM and send screenshots.
- One tracert to an on-premise resource that you should be able to hit.
- One tracert to an internet based entity, whether the VM should be allowed to hit it or not.
The tracerts will demonstrate that traffic is (or isn't) hitting the VMX appliance as it's next hop. This will help us narrow down where the issue lies as your route table is exactly what I would do for this setup.
Look forward to your response.
Thanks
Karl
Hi Karl,
Thanks for your response and verifying my routes are seemingly correct.
I decided to stand up another VM, exactly like the EliteU VM, but on the same vnet as the vmx, different subnet. So now I have a comparison between the traffic coming and going from 10.0.9.36 (subnet of 10.9.0.0/24. I've named the VM, VM-Mer-EliteU, residing on the 10.0.9.32/28 subnet.
My vnets are:
10.0.9.0/24 subnetted into 2, 10.0.9.0/28 on which the vmx (10.0.9.4) resides and 10.0.9.32/28 on which my new VM-Mer-EliteU (10.0.9.36) resides.
10.0.8.0/24 also subnetted into 2, 10.0.8.0/28 on which the Bastion, which has been deleted resided and 10.0.8.32/28, on which my original VM-EliteU (10.0.8.37) resides.
As of yesterday, I was unable to ping or trace to and from anything vmx100 to any of the vnets/subnets or from either of the resources (the 2 VMs) to the Meraki. Last night, for sh*ts and giggles, I played around with vnet peering. I was actually able to ping the 10.0.9.36 VM but today I can't. Not sure what has changed. I still can't rdp to it though even though it is using the same NSG as the original EliteU VM, 10.0.8.37 with RDP port 3389 open. I can't rdp to either vm which was the problem that started all of this.
I have to run for a bit, I'll post the traces soon.
Hi,
Thanks for this.
Can I confirm that there is VNET Peering between the 10.0.9.0/24 and 10.0.8.0/24 subnet?
Also, you don't have any route tables or NSGs attached to the VMX subnet?
Can I also just check that your on-premises subnets are 10.0.0.0/24 and that there isn't anything that might be overlapping with the 10.0.9.0/24 or 10.0.8.0/24 subnets?
Look forward to the traces as they might shed some light on where the traffic is going.
🙂difficult when I can't get my hands on it!
