Unable to connect to resources via site to site vpn using Meraki VMX100

Copper Contributor

Hi.

We have established a site to site vpn between our Azure Meraki vmx100 (managed Azure service/app) and our on premise mx64. Although the tunnel is up, running and passing traffic, I can't rdp to my resources in Azure. 

 

I spoke to Cisco and they confirmed my vmx100 is configured correctly and traffic is reaching the Azure resources however traffic from Azure VM is not being passed back. I need, specifically, to be able to rdp to the VMs in Azure.

 

I have set up routes but obviously they are not correct or else this would be working!

I have also set up network security groups allowing inbound and outbound traffic to port 3389 (rdp). When I run the connection test it tells me that access has been granted. However, when I try to rdp using the MS rdp client, I get the generic unable to connect message. When I try to rdp using the Azure rdp client, it tells me another computer has disconnected my session which is not possible since I'm the only one setting this up.

 

Anyone out there that has successfully set up a Cisco Meraki VMX100 in Azure and is able to access the resources in Azure behind the vmx100?

 

Thanks,

Sharyn_S

7 Replies
Hi Sharyn_S,

Hope you’re well.

Can you confirm your route tables and that they’re connected to the correct subnets?

I’m not familiar with the Meraki vmx specifically but will try to assist.

Thanks

@IrishTechie 

My route tables look correct. I've attached a network diagram. If you look at the diagram, it's the part at the top, in azure, where the two way connection is not happening. The Azure resources are not passing traffic back to the vmx.

 

According to cisco, there is 2 way communication between the azure vmx and the on premise Meraki

Thanks for sharing the diagram.

So if I read it right Your EliteU subnet should have a route table attached that looks a bit like:

- 0.0.0.0/0 > Next Hop Appliance: 10.0.9.4

Can you ping the internal interface of the VMX from the EliteU subnet? Can you do a tracert to the internet, Google or something and post the results? That’s assuming internet traffic is running via the VMX.

Also, sorry, could you confirm your address space in your azure VNET is? As the default 10.0.0.0/16 would overlap with your on-premise.

Edit: corrected as I misread diagram.

@IrishTechie

 

The meraki vmx100 is not supposed to route to the internet. It is being used as a vpn concentrator and routes outgoing traffic to my on premises (HQ) Meraki. I am able to ping thru the vpn tunnel to the  Hq Meraki via IP address. I am also able to ping from HQ up the tunnel to the IP address of the vmx100. The tunnel is passing traffic, the issue seems to be with the Azure resource routing to the vmx100

 

I can't ping the vmx100 from the VM that I have set up. Here is the route table I have set up for the vnet/subnet that the VM I'm trying to reach is on.

 

Please dont get confused by the name of the vnet. There is NO bastion attached to that network anymore. The VM that I'm trying to RDP to is part of the subnet that this table is associated to.

@Sharyn_S 

 

Hope you are well.

 

Thanks for responding. Also, thanks for sharing the screenshot of your Route Table. That is pretty much what I would expect for this configuration. It will send all traffic to the VMX (Except VNET bound traffic), your VMX then needs to decide what to do with it. So, in short, that looks fine to me.

 

We need 2 more things to help diagnose the issue here. Would you mind providing me with the following:

 

  • What address space are you using for your VNET? (I can see the subnets in a previous diagram but would like to know the overall VNET address space)
  • Can you run some tracerts from the Azure VM and send screenshots.
    • One tracert to an on-premise resource that you should be able to hit.
    • One tracert to an internet based entity, whether the VM should be allowed to hit it or not.

The tracerts will demonstrate that traffic is (or isn't) hitting the VMX appliance as it's next hop. This will help us narrow down where the issue lies as your route table is exactly what I would do for this setup.

 

Look forward to your response.

 

Thanks

 

Karl

@IrishTechie 

 

Hi Karl,

Thanks for your response and verifying my routes are seemingly correct.

 

I decided to stand up another VM, exactly like the EliteU VM, but on the same vnet as the vmx, different subnet. So now I have a comparison between the traffic coming and going from 10.0.9.36 (subnet of 10.9.0.0/24. I've named the VM, VM-Mer-EliteU, residing on the 10.0.9.32/28 subnet.

 

My vnets are:

10.0.9.0/24 subnetted into 2, 10.0.9.0/28 on which the vmx (10.0.9.4) resides and 10.0.9.32/28 on which my new VM-Mer-EliteU (10.0.9.36) resides.

 

10.0.8.0/24 also subnetted into 2, 10.0.8.0/28 on which the Bastion, which has been deleted resided and 10.0.8.32/28, on which my original VM-EliteU (10.0.8.37) resides.

 

As of yesterday, I was unable to ping or trace to and from anything vmx100 to any of the vnets/subnets or from either of the resources (the 2 VMs) to the Meraki. Last night, for sh*ts and giggles, I played around with vnet peering. I was actually able to ping the 10.0.9.36 VM but today I can't. Not sure what has changed. I still can't rdp to it though even though it is using the same NSG as the original EliteU VM, 10.0.8.37 with RDP port 3389 open. I can't rdp to either vm which was the problem that started all of this.

 

I have to run for a bit, I'll post the traces soon.

@Sharyn_S 

 

Hi,

 

Thanks for this.

 

Can I confirm that there is VNET Peering between the 10.0.9.0/24 and 10.0.8.0/24 subnet?

Also, you don't have any route tables or NSGs attached to the VMX subnet?

 

Can I also just check that your on-premises subnets are 10.0.0.0/24 and that there isn't anything that might be overlapping with the 10.0.9.0/24 or 10.0.8.0/24 subnets?

 

Look forward to the traces as they might shed some light on where the traffic is going.

 

🙂difficult when I can't get my hands on it!