Some information.
One MX running the latest 17 release.
A firepower firewall running 6.7.0
On the MX we have an IKEv2 IPsec running just fine towards Azure.
But this new tunnel we are setting up towards an external Firepower firewall fails.
Settings on both ends are the same.
I also did a packet capture, and can see that the handshake contains the correct / same association settings.
(Aka. the first two packets that are unencrypted).
Then the IKE_Auth packets, and then information packets.
And then it stops. As always, its almost impossible to debug anything ... so Im kinda at a loss.
Any suggestions to what could be wrong ?
Is this one of the "Use IKEv1" cases because Firepower 6.7.0 does not "like" the way MX does IKEv2 in this release ?
Thanks
Thomas
Have you definitely got the IKEv2 identity configured on the Meraki side to match the IP address configured on the Firepower (if the Firepower is behind a device doing NAT - it will need to be the private IP address on the Firepower)?
Yep. The FP box has the public IP that we try to reach it on (and of course the MX is also directly connected to the internet). No NAT is involved on either side.
Downgrade your MX to version 16.16.6 and test It again. Version 17.x is not stable anymore.
But is that seriously the reason ? - I dont see any mention of Site-to-Site bugs in either release note. ( I know there are changes in 18.x , but that is mentioned in the notes):
Trust me, I performed tests with versions, 17.10.1, 17.10.2, and 18.x, and I had many issues with all of them.