Hey everyone! I'm currently working on migrating our sites, including one HQ, two remote locations, and Azure, into Secure Connect. We had a POC up and running for our Azure setup using a VNG that directed traffic to Secure Connect without any issues, but ran into problems with our remote access tool, ScreenConnect. After discussions with ConnectWise and Meraki/Umbrella support, we found out that we needed to bypass the Secure Connect tunnel to establish a remote connection.
Now, I'm trying to build a POC and deploy a vMX in Azure using the Cisco Meraki vMX Setup Guide. The vMX is partially operational, but we're facing a challenge: the subnets behind the vMX can't access the internet. I've run some diagnostics and can confirm that:
- Traffic can reach the vMX from the Azure VM subnet, which I've verified through tracert and packet captures.
- The vMX is receiving traffic from Azure and it shows online in the Meraki dashboard.
However, we're struggling to get return traffic from Azure to the VM subnet. Packet captures show that nothing is returning to the vMX, maybe due to asymmetric routing. Even though Azure support insists nothing else is needed on their end, it feels like this may be the source of our troubles.
I've verified several things:
- The vMX is deployed in a different subnet.
- IP forwarding is on.
- NSG rules are open.
- We're not using Secure Connect or AutoVPN; just a standalone vMX.
- The routing table is correctly configured with the vMX IP.
- I've also disabled Azure subnet peering.
- DNS is pointing to Google.
We've been troubleshooting this for months and I'm at a standstill. Any advice on what else we might check?
2 Answers
The vMX can operate in either VPN passthrough mode or routing mode, but not both at the same time. If it's set to VPN mode and you send internet traffic, the device won't be able to route it out. You should double-check that it's definitely in routed mode.
Have you tried using the connection troubleshooter? It might help identify where the issue is occurring in the routing process.
I haven't yet, but that's a good suggestion! I'll check that out. Also, did you turn off BGP route propagation in the UDR? Just to make sure the VMs aren't learning routes from elsewhere.
Thanks for that info! I can confirm the vMX is currently in routed mode, but I'm not sure if there's a way to switch between modes. Maybe I'm misunderstanding your point.