Meraki

Community

[Help] Alert - appliance - VPN connectivity changed

e39_540i
Getting noticed
‎Dec 4 2019 11:28 AM
‎Dec 4 2019 11:28 AM

[Help] Alert - appliance - VPN connectivity changed

Can anyone help me understand what's going on here? Yesterday, we received over 300+ emails regarding our site-to-site VPN connectivity. I looked at all of our networks and only found one whose ISP might have been experiencing some packet loss but I couldn't find anything conclusive. Naturally, these alerts bring about cause for concern but I'm not well-versed enough in networking to understand and explain the root cause.

 

We have 4 offices across the US and a vMX in AWS. Two offices have MX64Ws and two have MX84s. In looking at the event log for my office, I see the following (I've removed IP addresses)

 

Dec 4 11:13:33 Non-Meraki / Client VPN negotiationmsg: IPsec-SA expired: ESP/Transport x.x.x.x[4500]->x.x.x.x[4500] spi=888265128(0x34f1d9a8)
Dec 4 11:13:33 Non-Meraki / Client VPN negotiationmsg: IPsec-SA expired: ESP/Transport x.x.x.x[4500]->x.x.x.x[4500] spi=206994847(0xc567d9f)
Dec 4 10:59:36 Non-Meraki / Client VPN negotiationmsg: IPsec-SA expired: ESP/Transport x.x.x.x[4500]->6.1.0.0[4500] spi=3964283478(0xec4a2a56)
Dec 4 10:59:35 Non-Meraki / Client VPN negotiationmsg: IPsec-SA expired: ESP/Transport 6.1.0.0[4500]->x.x.x.x[4500] spi=234977461(0xe0178b5)
Dec 4 10:55:21 Non-Meraki / Client VPN negotiationmsg: unknown Informational exchange received.
Dec 4 10:55:21 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport x.x.x.x[4500]->6.1.0.0[4500] spi=1005843818(0x3bf3f56a)
Dec 4 10:55:21 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport x.x.x.x[4500]->6.1.0.0[4500] spi=29252204(0x1be5a6c)
Dec 4 10:55:21 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA established x.x.x.x[4500]-6.1.0.0[4500] spi:19289d9b7b15ae4a:865153a03b9cd61e
Dec 4 10:55:20 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Dec 4 10:55:20 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.
Dec 4 10:55:20 Non-Meraki / Client VPN negotiationmsg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Dec 4 10:47:36 Non-Meraki / Client VPN negotiationmsg: IPsec-SA expired: ESP/Transport 6.1.0.1[4500]->x.x.x.x[4500] spi=264265771(0xfc0602b)
Dec 4 10:47:35 Non-Meraki / Client VPN negotiationmsg: IPsec-SA expired: ESP/Transport x.x.x.x[4500]->6.1.0.0[4500] spi=3964283478(0xec4a2a56)

 

The IP addresses were my public and what I can only assume is the next hop to the carrier (same county, different city). The "expired" messages are concerning but realistically, there's no discernible impact to any of the interconnected offices when these alerts are firing off.

 

I'd appreciate any help and insight anyone can provide. Is there maybe a parameter we can increase if this is a timeout/heartbeat issue? These alerts may be causing undue stress.

 

Thanks in advance.

0 Kudos
2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 4 2019 11:45 AM
‎Dec 4 2019 11:45 AM

It doesn't look like a problem to me.  All SA's have a lifetime.  The SA expired and appears to have built a new replacement SA.

 

The bit I'm not understanding is why you are suddenly getting emails about it.

 

Perhaps the time to re-establish the VPN was taking longer than it should.  Perhaps their was a Meraki hickup and it produced a whole lot of false warnings.

In response to PhilipDAth
e39_540i
Getting noticed
‎Dec 4 2019 11:59 AM
‎Dec 4 2019 11:59 AM

From the VPN Status page, right around the time this was happening between the two offices. However, the peer that is listed isn't one of the two offices that fired off the alerts.

1204_11-58-22AM.png

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.