Hi All!
We currently have a hosted environment and the Azure VPN client with defined routes so that ONLY traffic to Azure gets routed works fine. Due to compliance, we now have to have ALL traffic routed through the VPN and now when we connect using that profile, nothing will resolve. This happens on both wired and wireless (secure) connections which are on the same LAN. If we use guest WiFi, the connection works fine, as does a mobile hotspot and all of our remote workers do not have any issues either. See screenshots of tnc queries below. Any ideas? Seems to be something specific with the local LAN connection. Meraki tech support ran out of ideas as well.
From the secure wifi/wired LAN:
From the Guest WiFi:
Maybe a DNS issue? Which DNS server is used in the secured network? Is it reachable using the full tunnel VPN?
Have you considered spinning up a VMX in azure instead?
We have this working on our network. Have you enabled VPN mode on the VLANs? We had to put a customer firewall rule in place to enable the traffic to traverse.
Could we see your firewall policies related to this?
So you have an IPsec tunnel between your LAN and Azure, and you’re sending all your traffic over this tunnel and attempting to break out to the internet from Azure? What’s doing your NAT in this situation?
Have you verified the your DNS resolver is reachable over the tunnel? Your first screenshot makes it look like your client can’t resolve hostnames.
I wish that was an option. The powers that be said no. They want client vpn only for some reason.
Right now they are just on a single subnet but we could switch to VLAN if needed. What was the firewall rule that you had to create to get it to work?
We havent made any changes to the default firewall confirmation. We have a couple of countries blocked, an no other rules or policies. Inbound is set to deny all, outbound is allow all. We do have IP source spoofing blocked but tried unchecking that as well on the last call with Meraki.
I would try harder. This is what vMX is designed to do and why you buy Meraki in the first place
So if i understand correctly, your VPN doesn’t route traffic through when you are on your internal LAN - but DOES route when you are on anything but the internal LAN?
Can you post a screenshot of the policies?
For some reason Reddit isnt allowing me to attach a photo to this reply. But under firewall I have no custom policies and the following:
Inbound Default rule Deny Any
Outbound Default Rule Allow Any
1 forwarding rule to our NVR on port 8000, and IP source address spoofing protection is on Block mode.
let me know if you need anything else.
Was on the phone for 2 hours with Meraki troubleshooting and sent them the Azure VPN logs for both the working (Guest WiFi w/ Meraki DHCP) and non-working (Wired LAN, bridge mode on a 192.168.50.x subnet) connection. They are escalating to enginnering and will reply back. He said the only thing he noticed in a packet capture of each connection log was that the SSL version was different. Our Azure VPN gateway doesn’t specify any specific SSL version so he was a bit confused about that part.
I’d start making some custom rules to dictate the traffic, despite the default rules. Maybe there is a bug?
