Looking for some advice as I’ve seen a couple of posts about this working 100% and easily, yet I can’t get it to work. We’re moving to a traditional enterprise NGFW and want to keep the Meraki as a VPN concentrator as that is how all sites connect as well as RAVPN (for now). Anyconnect is being considered as a replacement, but there needs to be an almost rip and replace to get that done properly and I feel that if I got this working I won’t need to or I can roll it out slowly in the future.
Ideally, what I’d like to do is use a spare MX that I have (in place now) to test and then be able to migrate the existing users/networks in a traditional migration plan. This would allow me to literally flip a DNS record and everything would work as intended based on successful testing.
I’ve had the MX directly hang off the firewall as well as connected behind via a switch to the same result. I can have a user connect via RAVPN with Radius in full effect but once that user is connected it can’t go anywhere. It can’t use/ping servers and services and just kind of “sits”. I can see full connectivity flowing through the NGFW as the user connects with nothing being blocked and hitting the proper ACLs. Meraki being Meraki they don’t have much documentation other than the basic config, which “works” aside from the traffic flow aforementioned.
Maybe I’m missing something fairly blatant that someone can point out or there’s a better way?
When you connect in and try Ping something from the client and take PCAPs who do you see not forwarding the traffic or where do you see the traffic ending? Without more context on your environment I think your best method to troubleshoot is viewing the packet captures.
I suspect you’ve got a route issue somewhere by the limited sound of it.
That’s kind of where I get lost, to a degree, as routing isn’t my strong suit but this is basic L2/L3 connectivity. I have it, currently, NATd behind the firewall and it picks up the NATd IP no problem and passes normal dashboard connectivity perfectly. The route on the firewall sends the traffic to the MX fine as a user is able to connect to the NATd IP, authenticate, and get a DHCP (local) lease.
So where would I need another route on the inside to allow it to see a local subnet to ping or test another way?
I am aggressively not a Meraki guy so… that being said.
We’ve got a vMX in Azure in one-arm concentrator mode that exchanges routes via BGP with our Fortigate in Azure. In my project I keep bitching about here it is absolutely the only thing that works perfectly with Meraki so far.
Under Security and SD-WAN, Routing, do you have options for BGP and OSPF? That’s how we inject our routes with the vMX.
So say that your AnyConnect subnet is 192.168.1.0/24, and your concentrator-mode MX is on the 172.16.1.0/24 subnet with an IP of 172.16.1.2 and a default gateway of 172.16.1.1.
All traffic from AnyConnect clients (192.168.1.x) will reach the MX and be forwarded to that default gateway (172.16.1.1).
All traffic to AnyConnect clients needs to be routed to the MX explicitly. This could mean setting up a static route for 192.168.1.0/24 on the upstream 172.16.1.1 device pointing to the MX (172.16.1.2) or setting up routes on other devices in 172.16.1.0/24 such that they go through 172.16.1.2.
100% that exists, but in this environment there’s no BGP/OSPF routing. To get that to enable I have to have it part of a VPN already, which I can do but that’s adding complexity to something I think shouldn’t warrant that.