Meraki

Community

Cell Gateway Issue on UK O2 Network

GeoffC
Here to help
‎Nov 8 2021 3:15 PM
‎Nov 8 2021 3:15 PM

Cell Gateway Issue on UK O2 Network

Hi, we're rolling out a Meraki network around England using the O2 network (primarily) and the EE network.

 

If two sites each have O2 SIMs, they don't establish the site-to-site VPN.

 

Any other combination works - O2 to EE, EE to EE, O2 to fixed line.

 

What's the magic trick to get O2 to O2 working please?

 

Cheers,

Geoff.

 

0 Kudos
5 Replies 5
MilesMeraki
Head in the Cloud
‎Nov 8 2021 11:17 PM
‎Nov 8 2021 11:17 PM

Sounds like the issue could be with 02? Have you reached out to them at all and described the issue? Assuming there could be something from stopping IPSEC from establishing?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
ConnorL
Meraki Employee
Meraki Employee
‎Nov 9 2021 4:08 AM
‎Nov 9 2021 4:08 AM

Likely carrier-grade NAT if you're not using a SIM/APN with a public IP. 

https://en.wikipedia.org/wiki/Carrier-grade_NAT

 

I'd perform packet captures on both MXs to see which end is only getting unidirectional traffic, then speak to your carrier to get a proper public IP address assigned to your SIM. 

GreenMan
Meraki Employee
Meraki Employee
‎Nov 9 2021 8:18 AM
‎Nov 9 2021 8:18 AM

As Connor suggested - use packet capture to understand what's going on, first.    My experience is that, in many CG-NAT cases, you can work around by reconfiguring your VPN Hubs to use Manual NAT traversal.   

Security & SD-WAN > Configure > Site-to-site VPN     change from NAT traversal = Automatic  to    Manual : port forwarding,

 

Specify a particular public IP and associated UDP port number for the VPN service to reside on.   The upstream firewall, behind which the Hub NATs, will need to be configured to match (to forward this traffic to the MX by its real IP, port unchanged).    I’d recommend choosing a port between 1025 and 32768, but avoiding 4500.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 9 2021 11:20 AM
‎Nov 9 2021 11:20 AM

I'm not from your country ... find out what APNs O2 offers.  Many carriers (at least all the ones in my country) have a different APN you can use which is not firewalled and allows you to get an actual public IP address.

In response to PhilipDAth
GeoffC
Here to help
‎Nov 9 2021 10:33 PM
‎Nov 9 2021 10:33 PM

Hi all, many thanks for your feedback and suggestions - much appreciated!

 

Based on what I've seen here in Australia, it does look like an APN issue, so we'll need to change our SIMs.

 

If anyone has first-hand experience with Meraki's and O2 SIMs, I'd really like to hear how you set up your network please.

 

Cheers, Geoff.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.