AutoVPN Troubleshooting

SOLVED
TimBisel
Getting noticed

AutoVPN Troubleshooting

Continuing issue for us is a AutoVPN connection that literally can bounce a dozen times a day. But Meraki dashboard, even though it sends constant alerts saying VPN is down/up, says the connection is solid. Location is a DSL site. Question is, 1. can double NAT cause issues with the AutoVPN? 2. Does anyone else have experience with a MX on a DSL connection and have any issues? 3. Is there ANYTHING at all I can use to try and diagnose what is going on with this VPN connection?

1 ACCEPTED SOLUTION

Hey @TimBisel,

 

You want to set the uplink statistic up pointing to the public IP address of the remote end, not the LAN side. 

 

That way you will monitor WAN-WAN connectivity rather than over the VPN.

 

Thanks!

 

G

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

View solution in original post

11 REPLIES 11
nwu1
Here to help

Hey TimBisel,

 

Are you seeing anything in the VPN status of the MX, at the DSL site and the other end? I haven't heard of the type of connection affect VPN, as you have the correct ports open upstream (Verify your specific network's connection to the Meraki VPN registry by going to Help > Firewall Rules). To answer question 1 as well, double NAT can cause flapping in previous cases.

 

Finally I would recommend looking at the things listed here and see if you experience the same issues:

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Aut...

 

 

Cheers,

Nick

TimBisel
Getting noticed

I have a very large amount of VPN status change alerts in both sides of the vpn but no details on why. I think I might be running into issues with the onsite router (Verizon DSL) I am thinking that if it was setup with the default 192 address and still has NAT translation enabled that maybe the firewall rules were left default as well and could be causing it. 

mel-astrosat
Here to help

Have you run tracert from either end during up and down periods? That might indicate where the break is.

"periods" are usually <30 seconds. Often showing multiple instances of down/up within same minute in alert email. I don't mean "Man this VPN is down I need to wait to connect" more of a "Why am I getting 5-6 emails from meraki every day filled with multiple instances of this connection going up and down?" Example is I am right now looking at email from last night where it went down/up 8 times in 5 minutes and all the "outages" where <1 minute.

GiacomoS
Meraki Employee
Meraki Employee

Hi @TimBisel,

 

I will echo @nwu1 response, and I would recommend to follow the article to troubleshoot this too. 

 

There is, however, another action you might want to take to understand if there is a break in the communication between the two sites: you can navigate in Security appliance > Traffic shaping  and set up an Uplink statistic with destination the public IP address of the remote Meraki MX. 

You can then see the information from Security Appliance > Appliance status > Uplink and this would greatly help you to understand if there's any drop occurring over the WAN or if the issue is just on the VPN tunnel.

 

If you see frequent disconnections on the event log to the VPN registry, give us a call as we might be able to take some remediation steps.

 

Thanks!

 

Giacomo

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

I would very much like to determine if its a connection issue or VPN issue. But I am confused. If I put a uplink statistic check to my remote site from HQ, wouldn't that just go over the same VPN and if/when VPN drops wouldn't it than just go over WAN? I have statistic setup for google (8.8.8.8) already.

Hey @TimBisel,

 

You want to set the uplink statistic up pointing to the public IP address of the remote end, not the LAN side. 

 

That way you will monitor WAN-WAN connectivity rather than over the VPN.

 

Thanks!

 

G

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!

Ok that makes more sense, thanks.

One of out sites had some old network equipment die so this is the first I was able to look at it. But does seems to has some short periods of packet loss. But no notifications from these drops and the last alerts I got was at 3am and seems to line up with one of the peaks of packet loss. But there are some other points that have packet loss and I did not receive an alert. Is there a % threshold on when a link is considered down? Anyone know how much of an overhead VPN takes on the bandwidth, thought maybe our speeds just slow down to the point VPN can't stay connected.

Happened twice more, looks like it is packet loss hitting ~25%. So it must be some threshold for packet loss that is sending the alarm. The ping helped, thanks everyone.

OCT_OMG
Getting noticed

We've got several AutoVPN sites on DSL/Cable along with several more on enterprise fiber and have seen this same VPN tunnel flapping behavior on occasion.  I've always assumed it was the lifetime timer expiring and tearing down the tunnel due to an absence of interesting traffic, but never examined it any further since it didn't affect operations.

 

 

While this may not apply to a Meraki AutoVPN connection, here's a Meraki document on IPSec VPN Lifetime settings that may help out if you've got a connection to a non-Meraki peer.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels