Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AutoVPN and Fritzbox

joopv
Getting noticed
‎Feb 3 2023 4:24 PM
‎Feb 3 2023 4:24 PM

AutoVPN and Fritzbox

It looks as if the Fritzbox 7590 xDSL ISP router is not fully compatible with Meraki's AutoVPN mechanisms. 

We have major issues with MX67 spokes connecting to a vMX hub in AWS.  Tunnels going down and staying down until we reboot the MX or the Fritzbox.

 

Does anyone have the same experience? 

Labels:
0 Kudos
Subscribe
7 Replies 7
Stefan_Zuber
Here to help
‎Feb 3 2023 5:33 PM
‎Feb 3 2023 5:33 PM

I had the same issue some time ago. We set the MX as „Exposed Host“ in the Fritzbox configuration as workaround.

0 Kudos
Subscribe
joopv
Getting noticed
‎Feb 6 2023 1:23 AM
‎Feb 6 2023 1:23 AM

Thanks for your reply.  Did you do any troubleshooting, like firmware upgrading, opening a case with Meraki / AVM etc?

 

We have 6 HUB's and 320 spokes with an MX67 behind a Fritzbox 7590.  Somehow autoVPN issues on multiple locations started last week, affecting only the autoVPN to 1 of the 6 hubs.

 

Making an exposed host could be an option, but we would have to disable the DHCP client on the MX.  Not something i'm looking forward to do.

 

0 Kudos
Subscribe
In response to joopv
Stefan_Zuber
Here to help
‎Feb 16 2023 12:53 AM
‎Feb 16 2023 12:53 AM

I did not further troubleshooting with new firmware etc. The initial setup was good and after a long time running fine this issue happend for more and more sites.

In a wireshark capture on the VPN concentrator (Hub) all looks good (source IP and port of the VPN peer). The issue was very strange for us. But we had only around 5 sites with this issue, not 320 spokes 😥

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 6 2023 12:03 PM
‎Feb 6 2023 12:03 PM

I'm not familiar with the Fritzbox, but I have seen issues like this before with the way that CPE do NAT (ageing out the NAT entries pre-maturely, usually based on creation date rather than last used date).

 

If the issue is only to Amazon AWS VMX hosts, then the easiest way to resolve this is to configure the VMX to use a manual NAT traversal.  For example:

PhilipDAth_0-1675713695902.png

And make sure that the AWS security group allows whatever port you use in from everywhere.

0 Kudos
Subscribe
joopv
Getting noticed
‎Feb 10 2023 2:43 AM
‎Feb 10 2023 2:43 AM

Thanks,

 

On the vMX in AWS there already is a manual NAT configured.

0 Kudos
Subscribe
nhulsch
Just browsing
‎Feb 27 2023 4:36 AM
‎Feb 27 2023 4:36 AM

Are you already on Fritz!OS version 7.50? We have experienced this with 7.29 but it was gone after updating to 7.50

0 Kudos
Subscribe
Stunter02
Just browsing
‎Feb 28 2023 10:24 PM
‎Feb 28 2023 10:24 PM

Very interesting... We also have a similar issue. We are adding an MX 67 on our spokes that goes over AutoVPN to our DC and it only happened a few times in the beginning, but now with every migration of adding an MX 67 to a spoke for SD-WAN, we need to reboot our MX. 

We are also connecting to a Fritzbox and most of the time it is the 7590. We just passed the 100 mark for migrations, but our issue is with the CAP WAP traffic of Cisco AP's that do not want to show up on WLC (Flex Connect) and the only option at the moment to fix this is to reboot MX then it is fixed. 

We do have an open case with Meraki and they have no clue why it is, but we can see that the UDP port is changed when it comes back to the spoke. I am going to check the firmware of the Fritzbox and see if this is related. 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.