[TSHOOT] Troubleshoot AutoVPN and VPN Registry in Cisco Meraki MX Security Appliances

Thanks deltafalcon1

Hello Juan,
Most of the time this behavior is because some firewall rules put in place before this new implementation, since you are adding new subnets coming from these Z3s, the old firewall rules might not allow these new traffic.
The best way to find that out is taking packet captures. If you are saying that the VPN tunnel is established, the hard part is already done, this is what you can do:
- Send continuous pings form the Z3s to the internal resources and take pcaps in the VPN tunnel of both devices and the LAN side of the MX67.
+ If you see the ping requests in the LAN side of the MX67, it means that the traffic is passing through and the VPN tunnel is good. If you do not see the ping reply coming from the internal network, it means that something in the network is blocking that traffic and the MX67 is not receiving the replies.
If that is the case, your work should be focused on taking pcaps in that network and follow the traffic to understand which device is blocking the traffic or if the device itself is nor replying to the pings ( probably because of the firewall reasons I mentioned earlier) .
This is a common behavior when new VPN tunnels are established in previous infrastructures. I hope that helps you.

Hello @Carlos,
The selection of the Hub or Spoke will depend on the expected flow of the traffic. If you need a concentrated place where the major traffic will flow ( i.e. a data center or HQ) you would want to configure that place as a Hub and everyone that needs to reach out to that resource as a Spoke. However, this can change depending on your needs. You can use an additional Hub for redundancy.
If you would like to know more about the Hub-Spoke implementation, you can read the documentation below.
documentation.meraki.com/Architectures_and_Best_Practices/Auto_VPN_Hub_Deployment_Recommendations
documentation.meraki.com/MX/Deployment_Guides/Datacenter_Redundancy_(DC-DC_Failover)_Deployment_Guide

Hello Bad Style,
If that is the case, you have to troubleshoot live while the issue is current and go through the video taking the pcaps to understand which part is the one with the problem and analyze how to fix it. All the should be done before rebooting it.

Hello @Andy
Most of the times that you have NAT Type unfriendly is related to the upstream NAT device you have. It is because it is not honouring either the ports the MX is using or it is changing the public IP address when the traffic goes to the VPN registry or the VPN tunnel.
Points to consider:
- Ensure that the traffic sent to the VPN registry is not altered by the NAT device ( source and destination port)
- Ensure the traffic sent to the other VPN peer is not altered by the NAT device ( same source port and source public IP address as the traffic to the VPN registry)
I would recommend you to take packet captures in the Internet interface of the MX and the internet interface of the NAT device to confirm what was mentioned above.
If this traffic is different, you will have that message. The documentation below will help you to understand better the behaviour and provide guidelines in how to fix it from your NAT device. Ultimately, it is not something that have to be addresses upstream.
documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Auto_VPN#NAT_Type:_Unfriendly