Meraki

Community

Blocking error after upgrading Security appliance from version MX 14.53 to 15.42.1

Solved
GoOn
Getting noticed
‎Jun 25 2021 7:32 AM
‎Jun 25 2021 7:32 AM

Blocking error after upgrading Security appliance from version MX 14.53 to 15.42.1

Hello to everybody!

I'm subscribed to this community since I'm experiencing a blocking issue with my security appliance, and the support is lacking to help: it's a month since we opened a case, and we are still without a solution.

 

Since the upgrade from version MX 14.53 to 15.42.1 of our MX65W, the VPN connection with a remote Non-Meraki peer was degraded. It's always impossibile to connect to remote SQL sever, to whom it was possible with 14.53. The error returned now is:

"The connection with the server was established successfully, but then an error occurred during the pre-login handshake. (provider: SSL Provider, error: 0 - Wait time expired.) (Microsoft SQL Server, error: 258)"

 

Also navigation on shared folder, physically based on the remote peer (on a server on the remote peer) is very slow, and sometimes Windows is unable to open it.

 

Is there someone can help me?

 

Many thanks in advance!

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 26 2021 3:02 PM
‎Jun 26 2021 3:02 PM

DES performance on the MX is terrible.  If you are using DES change to AES.

 

I wonder if the VPN is flapping.  If you leave a ping running is it stable, or do you get a lot of packet loss?

The 15.x code has started enforcing the peer-ID, which 14.x did not.  Have you got a peer ID specified?  If not perhaps this is causing the VPN to flap.  The peer ID is usually the IP address configured on the WAN interface of the remote firewall (if the remote firewall is sitting behind a device doing NAT then it will be the private IP address on its WAN interface).

 

To test the MTU idea try this on one of the machines having the issue:

You need to find the name of the network adaptor being used with this command: 
netsh interface ipv4 show subinterface 

  

Then run this command to change the MTU (change "Local Area Connection" to the adaptor name above): 

netsh interface ipv4 set subinterface “Local Area Connection 2” mtu=1300

 

If this does resolve it, run the last command again and add "store=persistent" then it will stick across reboots.

 

 

If either end is behind an asymmetric circuit (different up and down speeds) try enabling timestamps on BOTH ends.

netsh int tcp set global timestamps=enable

 

View solution in original post

9 Replies 9
ww
Kind of a big deal
Kind of a big deal
‎Jun 25 2021 8:06 AM
‎Jun 25 2021 8:06 AM

Maybe some mtu size problem

In response to ww
GoOn
Getting noticed
‎Jun 25 2021 8:16 AM
‎Jun 25 2021 8:16 AM

Thanks!

Is there any setting that can be done to solve it?

0 Kudos
In response to GoOn
Bruce
Kind of a big deal
‎Jun 25 2021 3:33 PM
‎Jun 25 2021 3:33 PM

@GoOn, if it is an MTU issue, the MTU is normally discovered automatically, but relies on ICMP packets. Are you blocking ICMP anywhere? Are you seeing any messages in the event log on the MX about the VPN? Is the tunnel stable?

0 Kudos
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jun 25 2021 11:38 PM
‎Jun 25 2021 11:38 PM

Hi @GoOn , if it’s an ongoing issue and support are struggling to resolve why don’t you request to rollback to your previous stable issue?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 26 2021 3:02 PM
‎Jun 26 2021 3:02 PM

DES performance on the MX is terrible.  If you are using DES change to AES.

 

I wonder if the VPN is flapping.  If you leave a ping running is it stable, or do you get a lot of packet loss?

The 15.x code has started enforcing the peer-ID, which 14.x did not.  Have you got a peer ID specified?  If not perhaps this is causing the VPN to flap.  The peer ID is usually the IP address configured on the WAN interface of the remote firewall (if the remote firewall is sitting behind a device doing NAT then it will be the private IP address on its WAN interface).

 

To test the MTU idea try this on one of the machines having the issue:

You need to find the name of the network adaptor being used with this command: 
netsh interface ipv4 show subinterface 

  

Then run this command to change the MTU (change "Local Area Connection" to the adaptor name above): 

netsh interface ipv4 set subinterface “Local Area Connection 2” mtu=1300

 

If this does resolve it, run the last command again and add "store=persistent" then it will stick across reboots.

 

 

If either end is behind an asymmetric circuit (different up and down speeds) try enabling timestamps on BOTH ends.

netsh int tcp set global timestamps=enable

 

In response to PhilipDAth
GoOn
Getting noticed
‎Jun 27 2021 12:54 AM
‎Jun 27 2021 12:54 AM

Hello to everybody!

Thank you for your replies!! 

 

The VPN connection is stable over a 10 minutes of ping -t process.

Also the support engineer said that there are no issues on VPN tunneling.

 

My MTU are set to 1500 now, that I'm having the issue. At what value I have to set it?

0 Kudos
In response to GoOn
Bruce
Kind of a big deal
‎Jun 27 2021 3:38 AM
‎Jun 27 2021 3:38 AM

Try it at 1300, that should be low enough to allow for the additional headers (due to the VPN) and to determine if the MTU size is the problem.

In response to Bruce
GoOn
Getting noticed
‎Jun 28 2021 8:12 AM
‎Jun 28 2021 8:12 AM

MTU size was definitively the problem!

Set to 1300, SQL connection is now working fine!!

 

You all was a lot quicker and gave me a better support than the Meraki official one! 

 

Thanks to all!

In response to PhilipDAth
Manjinder
Here to help
‎Jan 11 2022 11:40 AM
‎Jan 11 2022 11:40 AM

@PhilipDAth  Thank you for the commands/fix. With 15.x/16.15 observed slow browsing/file download. MTU modifications to 1300 resolved the issue.👍  to be specific : Non Meraki VPN to pfSense.

li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.