Site-to-Site VPN Troubleshooting (2024)

Table of Contents
Troubleshooting Can't ping or access network resources on the other network VPN status page reports an unfriendly NAT or disconnected from VPN Registry Problems with VPN between Meraki MX/Z-seriesand a non-Meraki peer
  1. Last updated
  2. Save as PDF

Meraki Site-to-site VPN makes it easy to connect remote networks and share network resources. In the event that VPN fails or network resources are inaccessible, there are several places to look in Dashboard to quickly resolve most problems. This article will overview common site-to-site VPN issues and recommended troubleshooting steps.

Troubleshooting

If there appears to be an issue with VPN, start by referencing theSecurity & SD-WAN > Monitor > VPN statuspage to check the health of the appliance's connection to the VPN registry and the other peers. If one specific tunnel is having issues, it may be helpful to check the status page for the networks of each peer in case one of them is offline or disconnected from the registry:

Site-to-Site VPN Troubleshooting (1)

See Also
Troubleshoot an Azure S2S VPN connection that cannot connect - Azure VPN Gateway

The following sections outline common issues with site-to-site VPN and recommended troubleshooting steps:

Can't ping or access network resources on the other network

If you are unable to connect to devices on the other network from your site:

  • Are both devicesonlineand connected to the registry?
    • As outlined above, be sure to check theSecurity & SD-WAN > Monitor > VPN statuspage for each side's Dashboard network.
  • Is the subnet you're trying to reach advertised over VPN?
    • On the remote side's Dashboard network, navigate toSecurity & SD-WAN > Configure > Site-to-site VPN. Under Local networks, make sure theUse VPNtoggle is set to Yes for the subnet you're trying to reach.You should also check these settings on your local site's Dashboard network to ensure that the subnet you're connecting from is also advertised.
    • If using a full tunnel configuration, bear in mind thatwhen specifying a prefix to be part of a VPN, everything covered by that prefix will be allowed in the VPN. Therefore, subnets that overlap will causetraffic in amore specific subnet to be sent through the VPN, even if it is not configured to be included in the VPN. For example, if 10.0.0.0/16 is configured to be included in the VPN but 10.0.1.0/24 is not, traffic sourced from 10.0.1.50 will still be sent over the VPN.
  • Are any firewalls blocking this traffic on the network?
    • In addition to any non-Meraki firewalls on the network that may be blocking this traffic (including firewalls that may be enabled on the device you're trying to access), check theSecurity & SD-WAN > Configure > Site-to-site VPN > Organization-wide settingssection to see if there are any Site-to-site outbound firewall rules.
  • Are there any problems reaching out to non-VPN peers?
    • Try sending pings or traceroutes to public IPs (such as 8.8.8.8) or access public websites to see if the problem isn't strictly related to VPN.
    • Try pinging the public IP of the other WAN Appliance from your local network. If this fails but general Internet connectivity appears to be fine, there is likely an upstream ISP routing issue that is preventing the two sites from communicating directly even though they both haveInternet access and are connected to the VPN registry.
  • Are there routes configured on both sides that point to the remote subnets?
    • If the WAN Appliance is not the only gateway in the network (e.g. the WAN Appliance is connected to a layer 3 switch or router with its own directly connected networks), any devices that are not using the WAN Appliance as their gateway will need their traffic routed to the WAN Appliance in order to send traffic across the VPN. Make sure any other routing devices on the network have a route that allows them to access the remote VPN subnets via the WAN Appliance's local IP address.
    • For extensive details on deploying the WAN Appliance as a VPN concentrator, please refer to our VPN Concentrator Deployment Guide.
  • Are these devices on non-overlapping subnets?
    • If the device on each end is on a subnet that overlaps with the other side, the WAN Appliance will be unable to route traffic to the other side as it will believe the traffic is destined for the local network. It is recommended to have unique subnets with no overlap on each network connected to the VPN.
    • If identical networks are required on each side of a tunnel, you may need to enable VPN Subnet Translation. Please note that this feature does not allow for partial overlap between subnets, and is not supported with non-Meraki VPN peers.

VPN status page reports an unfriendly NAT or disconnected from VPN Registry

If theSecurity & SD-WAN > Monitor > VPN statuspage for a given network reports either "NAT type: Unfriendly" or "VPN Registry: Disconnected", there is likely a device upstream of the WAN Appliance for that site that is preventing AutoVPN from working correctly.

  • NAT type: Unfriendlyindicates that the upstream NAT won't allow the WAN Appliance to use UDP hole punching to form the tunnel. It is recommended to set NAT traversal to Manual: Port forwardingto bypass this issue.
  • VPN Registry: Disconnectedindicates that the upstream device is not allowing the WAN Appliance to communicate with the VPN registry. It is recommended to configure any upstream firewalls to allow the traffic listed in Dashboard underHelp > Firewall info.

For more information on these two error messages and VPN registry troubleshooting in general, reference our documentation regardingTroubleshooting VPN Registration for Meraki AutoVPN.

Problems with VPN between Meraki MX/Z-seriesand a non-Meraki peer

If you are having issues with a non-Meraki VPN connection and the above troubleshooting tips did not resolve the issue, reference our documentation regarding Troubleshooting Non-Meraki Site-to-Site VPN Peers.

Site-to-Site VPN Troubleshooting (2024)
Top Articles
How To Calculate A Monthly Payment On A Loan
UPI in June: PhonePe, Google Pay see marginal decline, Paytm records flat growth
Collision Masters Fairbanks
Devotion Showtimes Near Mjr Universal Grand Cinema 16
DENVER Überwachungskamera IOC-221, IP, WLAN, außen | 580950
Tyrunt
According To The Wall Street Journal Weegy
King Fields Mortuary
Red Heeler Dog Breed Info, Pictures, Facts, Puppy Price & FAQs
Regular Clear vs Low Iron Glass for Shower Doors
Shariraye Update
Babyrainbow Private
Housework 2 Jab
10 Best Places to Go and Things to Know for a Trip to the Hickory M...
Guidewheel lands $9M Series A-1 for SaaS that boosts manufacturing and trims carbon emissions | TechCrunch
Stihl Km 131 R Parts Diagram
Palm Coast Permits Online
Soccer Zone Discount Code
Video shows two planes collide while taxiing at airport | CNN
Wausau Obits Legacy
The Menu Showtimes Near Regal Edwards Ontario Mountain Village
623-250-6295
V-Pay: Sicherheit, Kosten und Alternativen - BankingGeek
Silive Obituary
Azpeople View Paycheck/W2
Kaitlyn Katsaros Forum
Grimes County Busted Newspaper
Keci News
Masterkyngmash
Chime Ssi Payment 2023
2021 MTV Video Music Awards: See the Complete List of Nominees - E! Online
Skycurve Replacement Mat
Panolian Batesville Ms Obituaries 2022
Pensacola Tattoo Studio 2 Reviews
Osrs Important Letter
Insidious 5 Showtimes Near Cinemark Southland Center And Xd
Bursar.okstate.edu
The Bold and the Beautiful
Math Minor Umn
Verizon TV and Internet Packages
Go Smiles Herndon Reviews
Anya Banerjee Feet
Sunrise Garden Beach Resort - Select Hurghada günstig buchen | billareisen.at
Gold Dipping Vat Terraria
Metro Pcs Forest City Iowa
968 woorden beginnen met kruis
RECAP: Resilient Football rallies to claim rollercoaster 24-21 victory over Clarion - Shippensburg University Athletics
Kenner And Stevens Funeral Home
Abigail Cordova Murder
CPM Homework Help
York Racecourse | Racecourses.net
The Significance Of The Haitian Revolution Was That It Weegy
Latest Posts
Use navigation in Google Maps built into your car
Finding an International Doctor
Article information

Author: Edmund Hettinger DC

Last Updated:

Views: 6495

Rating: 4.8 / 5 (58 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Edmund Hettinger DC

Birthday: 1994-08-17

Address: 2033 Gerhold Pine, Port Jocelyn, VA 12101-5654

Phone: +8524399971620

Job: Central Manufacturing Supervisor

Hobby: Jogging, Metalworking, Tai chi, Shopping, Puzzles, Rock climbing, Crocheting

Introduction: My name is Edmund Hettinger DC, I am a adventurous, colorful, gifted, determined, precious, open, colorful person who loves writing and wants to share my knowledge and understanding with you.