Meraki

Community

traffic not getting initiated from IKEv1 for non-meraki tunnel

Tishman
Here to help
‎Sep 3 2024 1:56 PM
‎Sep 3 2024 1:56 PM

traffic not getting initiated from IKEv1 for non-meraki tunnel

Hi Experts

 

I had created a site-to site tunnel with non-meraki device FTD with IKEv1 tunnel come up but for few traffic selectors traffic is not getting initiated from meraki but it works when initiated from FTD.

 

MX version 18.211.2

 

does anyone have any fix  as same is happening with IKEv2 when using FQDN.

 

Labels:
0 Kudos
6 Replies 6
Tony-Sydney-AU
Meraki Employee
Meraki Employee
‎Sep 4 2024 3:45 PM
‎Sep 4 2024 3:45 PM

Hello @Tishman 

 

Based on what you said, I suspect your Trafic Selectors (TS ; a.k.a. encryption domain) don't match exactly.

 

I.e.: MX side may have a /24 subnet while the other side has a /25 ; so it works if the other side initiates because MX TS is like a summary route. On the other hand, MX initiating doesn't work because the other side has a /25 more specific TS.

 

You may want to double-check with the network admin at the other side and make sure both sides are configured with the exact subnets as traffic selector (TS).

 

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
In response to Tony-Sydney-AU
Tishman
Here to help
‎Sep 5 2024 1:52 PM
‎Sep 5 2024 1:52 PM

both site A and site B managed by me so traffic selectors are same at both side it is random issue not facing continously 

0 Kudos
In response to Tishman
Tony-Sydney-AU
Meraki Employee
Meraki Employee
‎Sep 5 2024 2:35 PM
‎Sep 5 2024 2:35 PM

Hi, thanks for checking.

 

If it is random, maybe it is related to firmware.

 

Perhaps you can try latest patch in version 18.211.3. I hope you can also upgrade your non-Meraki VPN peer.

 

Have you checked firmware?

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
Knowguy
Getting noticed
‎Sep 11 2024 5:12 AM
‎Sep 11 2024 5:12 AM

Looks like we have the same topic going in multiple locations now, for the latest head on over to https://community.meraki.com/t5/Security-SD-WAN/Traffic-not-getting-initiated-from-IKEv1-and-IKEv2-f... for continued discussion on non-Meraki IKEv1 not initiating traffic over tunnels.

In response to Knowguy
Tony-Sydney-AU
Meraki Employee
Meraki Employee
‎Sep 11 2024 2:11 PM
‎Sep 11 2024 2:11 PM

Yes, @Knowguy . That discussion is more complete. Firmware 18.211.3 don't fix this behaviour. @Tishman , feel free to post over there.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
In response to Tony-Sydney-AU
Tishman
Here to help
‎Sep 12 2024 11:18 AM
‎Sep 12 2024 11:18 AM

Is there any way we can decrpt the pcap files taken for vpn traffic from meraki it will make more picture clear for this issue.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.