Meraki

Community

Another "Site-To-Site IPsec MX <-> Firepower" thread.

thomasthomsen
Kind of a big deal
‎Nov 10 2022 12:01 AM
‎Nov 10 2022 12:01 AM

Another "Site-To-Site IPsec MX <-> Firepower" thread.

Some information.

One MX running the latest 17 release.

A firepower firewall running 6.7.0

 

On the MX we have an IKEv2 IPsec running just fine towards Azure.

But this new tunnel we are setting up towards an external Firepower firewall fails.

 

Settings on both ends are the same.

I also did a packet capture, and can see that the handshake contains the correct / same association settings.

(Aka. the first two packets that are unencrypted).

 

Then the IKE_Auth packets, and then information packets.

And then it stops. As always, its almost impossible to debug anything ... so Im kinda at a loss.

 

Any suggestions to what could be wrong ?

Is this one of the "Use IKEv1" cases because Firepower 6.7.0 does not "like" the way MX does IKEv2 in this release ?

 

Thanks

Thomas

Labels:
0 Kudos
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 10 2022 12:34 AM
‎Nov 10 2022 12:34 AM

Have you definitely got the IKEv2 identity configured on the Meraki side to match the IP address configured on the Firepower (if the Firepower is behind a device doing NAT - it will need to be the private IP address on the Firepower)?

0 Kudos
In response to PhilipDAth
thomasthomsen
Kind of a big deal
‎Nov 10 2022 3:58 AM
‎Nov 10 2022 3:58 AM

Yep. The FP box has the public IP that we try to reach it on (and of course the MX is also directly connected to the internet). No NAT is involved on either side.

 

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 10 2022 4:48 AM
‎Nov 10 2022 4:48 AM

Downgrade your MX to version 16.16.6 and test It again. Version 17.x is not stable anymore.

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
thomasthomsen
Kind of a big deal
‎Nov 10 2022 5:54 AM
‎Nov 10 2022 5:54 AM

But is that seriously the reason ? - I dont see any mention of Site-to-Site bugs in either release note. ( I know there are changes in 18.x , but that is mentioned in the notes):

0 Kudos
In response to thomasthomsen
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 10 2022 6:00 AM
‎Nov 10 2022 6:00 AM

Trust me, I performed tests with versions, 17.10.1, 17.10.2, and 18.x, and I had many issues with all of them.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.