Meraki

Community

Daily and Weekly VPN Drops But Probably Caused by Remote Device

MarcW
Here to help
‎Sep 9 2024 2:39 PM
‎Sep 9 2024 2:39 PM

Daily and Weekly VPN Drops But Probably Caused by Remote Device

I have 10 MX's that all talk to the same remote device.  Many mornings, I will lose some of my site to site VPN connections to the non-Meraki peer. 

 

What can I change/ extend such that the MX's will keep trying longer to maintain the connection even if it is the remote device dropping it?  Usually, a power cycle on either end reestablishes the connection. 

 

 

Labels:
0 Kudos
11 Replies 11
Tony-Sydney-AU
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Sep 9 2024 5:29 PM
‎Sep 9 2024 5:29 PM

Hi @MarcW ,

 

Sounds like your non-Meraki peer is turning the tunnels off due to no activity.

 

Meraki devices send special DPD vpn packets to keep the tunnels alive when there's no traffic. However, not all VPN peers reply to DPD.

 

Therefore, the best way to keep site-to-site tunnels UP is generating interesting traffic - e.g.: a continuous ping from a host inside a local subnet into a destination at the other side.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 9 2024 7:28 PM
‎Sep 9 2024 7:28 PM

Hi ,

 

This is the 3rd time I'm seeing this. MarcW , Myself and https://community.meraki.com/t5/Security-SD-WAN/Traffic-not-getting-initiated-from-IKEv1-and-IKEv2-f...

 

Are you running MX 18.2 by any chances ?

In response to RaphaelL
MarcW
Here to help
‎Sep 10 2024 8:59 AM
‎Sep 10 2024 8:59 AM

4 of the 5 are due for the update.  Coordinating that change with my local admin as we speak. 

 

What we saw were UPLINK notices almost daily for a mix of MXs.  When I started looking for events, there were no fails.  When I called the local admin, he said he'd been using the reboot as a workaround to address the issue.  I was relieved that the MXs weren't "failing" several times a week - lol - but I had to then change my approach after identifying the real issue. 

 

After I update the firmware, we'll see if there are any latency/ packet drop accommodating settings to implement. 

0 Kudos
cmr
Kind of a big deal
Kind of a big deal
‎Sep 10 2024 7:19 AM
‎Sep 10 2024 7:19 AM

How about putting an MX at the other end? 😉

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
MarcW
Here to help
‎Sep 10 2024 8:48 AM
‎Sep 10 2024 8:48 AM

🙂 if only they were our direct client. 

MarcW
Here to help
‎Sep 12 2024 9:39 AM
‎Sep 12 2024 9:39 AM

Firmware updated - no joy

Continuous ping - no joy

 

At this point, with the same behavior across 8+ site to site connections to a single destination, dropping the same way (and possibly same happening to other businesses) and needing reboots every other day or so, I am going to conclude it is them, not us.  Thanks!!

0 Kudos
In response to MarcW
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 12 2024 9:50 AM
‎Sep 12 2024 9:50 AM

What version were you running prior to the upgrade ?

0 Kudos
In response to RaphaelL
MarcW
Here to help
‎Sep 12 2024 10:12 AM
‎Sep 12 2024 10:12 AM

18.211

0 Kudos
In response to MarcW
RaphaelL
Kind of a big deal
Kind of a big deal
‎Sep 12 2024 10:29 AM
‎Sep 12 2024 10:29 AM

Great. So every one on MX 18.107 or 18.211 seems to be having the same issues. Somehow support doesn't know that it is affecting multiple clients. Curious.

0 Kudos
NetworkNetwork
New here
‎Jun 11 2025 11:35 AM
‎Jun 11 2025 11:35 AM

Non Meraki Peer To another Cisco

Used to be Intermittent drops a couple times a year

Now dropping daily

Only solved by rebooting the MX

All Meraki to Meraki tunnels are always happy, just the non Meraki peer drops

So far support not much help - recommended firmware, no change, currently on 18.107.12

Anyone find a solution? Or at least an automated way to bounce just the non Meraki VPN?

0 Kudos
Tony-Sydney-AU
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Jun 11 2025 2:50 PM
‎Jun 11 2025 2:50 PM

Hi @NetworkNetwork , thanks for bringing this matter here.

 

If your tunnel is going down every day, it's usually a racing condition in either Phase-1 or Phase-2 negotiation and SA database; or DPD timers like I mentioned in my first reply.

 

In some edge cases, it might be related to packet loss in transit between peers.

 

I would recommend you check the time of day when it goes down and try to find a pattern.

 

In addition, run MTR with 20 cycles to that Cisco peer right after the the tunnel is down - before even trying to reestablish tunnel.

 

Doing MTR would tell you if there is some level of packet loss.

 

After identifying which hop has packet loss, check in a WHOIS tool to find if that hop is within your provider network or some other provider Autonomous System (AS).

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.