Setting Up Networking and Tunnel Between Azure VPN and Meraki

Meissner, Glenn 20 Reputation points
2024-10-11T22:36:14.0066667+00:00

I am trying to get a tunnel configured and working properly between my on-premises Cisco Meraki and my Azure instance. As far as I can tell, traffic is flowing through the tunnel, so the tunnel configuration should be ok. However, I am not able to ping devices, or trace route, to either end of the tunnel. All of my traffic from on-prem flows through the tunnel and then never gets to the endpoint. All my traffic from Azure seems to flow through the tunnel and gets stopped at the Meraki.

I tried to create a VM for testing but it can't get to the internet or ping the Network Gateway private IPs. Any help would be appreciated

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,555 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,502 questions
{count} votes

Accepted answer
  1. Sai Prasanna Sinde 1,075 Reputation points Microsoft Vendor
    2024-10-14T11:32:22.43+00:00

    Hi @Meissner, Glenn,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    We have understood that you want to create a Site-to-Site VPN connection from On-Prem to Azure.

    Please cross verify the below steps once again while doing Azure VPN Site to a Site:

    1. From Azure side you need to deploy a VNet and a gateway subnet, in that gateway subnet deploy a VPN gateway.
    2. Next you need to configure a Local Network Gateway by providing the public IP and Local LAN IP series.
    3. Next configure a remote access server in On-Prem by providing the VPN Public IP and VNet IP range.
    4. Next create a connection between VPN and Local network gateway and also provide the pre-shared key in both the environments.
    5. Finally configure a static route in On-Prem Network Interface.
    6. Next the resources in on-prem can communicate with azure. you can connect the VM by using private IP through VNPN.

    For your reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

    Please have a look at the below troubleshooting steps:

    1. Please check both devices are online or not. Go to Security & SD-WAN > Monitor > VPN status page for each side's Dashboard network
    2. On the remote side's Dashboard network, navigate to Security & SD-WAN > Configure > Site-to-site VPN. Under Local networks, make sure the Use VPN toggle is set to Yes for the subnet you're trying to reach. You should also check these settings on your local site's Dashboard network to ensure that the subnet you're connecting from is also advertised.
    3. If using a full tunnel configuration, bear in mind that when specifying a prefix to be part of a VPN, everything covered by that prefix will be allowed in the VPN. Therefore, subnets that overlap will cause traffic in a more specific subnet to be sent through the VPN, even if it is not configured to be included in the VPN. For example, if 10.0.0.0/16 is configured to be included in the VPN but 10.0.1.0/24 is not, traffic sourced from 10.0.1.50 will still be sent over the VPN.
    4. In addition to any non-Meraki firewalls on the network that may be blocking this traffic, check the Security & SD-WAN > Configure > Site-to-site VPN > Organization-wide settings section to see if there are any Site-to-site outbound firewall rules.
    5. If the WAN Appliance is not the only gateway in the network (e.g. the WAN Appliance is connected to a layer 3 switch or router with its own directly connected networks), any devices that are not using the WAN Appliance as their gateway will need their traffic routed to the WAN Appliance in order to send traffic across the VPN. Make sure any other routing devices on the network have a route that allows them to access the remote VPN subnets via the WAN Appliance's local IP address.
    6. If the device on each end is on a subnet that overlaps with the other side, the WAN Appliance will be unable to route traffic to the other side as it will believe the traffic is destined for the local network. It is recommended to have unique subnets with no overlap on each network connected to the VPN.

    Please go through the document: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable:~:text=Cisco-,Meraki%20(MX),-MX%20v15.12
    User's image

    Kindly let us know if the above helps or you need further assistance on this issue.

    If this answers your query, I would appreciate it if you could accept the response as a "Accept Answer" and "Upvote it" so that it can help other members of the community who may be experiencing similar challenges.

    Thanks,

    Sai Prasanna.

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.