IPSEC on MX unreliable?

CGRE
Here to help

IPSEC on MX unreliable?

We've a number of different types of MX's under management, from what we've seen IPSEC on the MX is not that reliable, it can often drop out and seems to need a constant traffic flow otherwise it will drop IPSEC tunnels, has anyone else experienced this and managed to resolve?

5 REPLIES 5
PhilipDAth
Kind of a big deal

AutoVPN is rock solid.

 

Non-meraki IPSec VPN is not as good.  On the whole, I have found it reliable, but to some different brands, it just doesn't work as well.

Completely agree, using AutoVPN with Meraki kit is rock solid, no issues at all, its the non-Meraki VPN aka regular IPSEC which seems to be very flaky for some reason, have tried with different vendors (and ironically most vendor kit we have is actually Cisco routers and ASA's) they seem to drop for no real reason when AutoVPN is happy and continues to work (so doesnt point to circuit issues etc).

I can feel a make a wish coming on.

JimmyM
Getting noticed

Hi CGRE.

 

Personally, i come from a Fortigate/Sonicwall experiance.

 

Before 2021 all my customers were on Fortigate.

 

I tried meraki products at my home office for a couple of months. Since i deploy 75% meraki and 25% fortinet.

 

I have a lot of Site to Site VPN Ikev1 and v2 Between, Fortigate, Sonicwall and Azure.

 

On my site i never saw any issue.

 

Can you describe your environment ?

 

Regards,

Hi,

 

This is all mainly Cisco ASA's running IKEv1 and v2 to an MX, can be physical or vMX we seem to get the same issues. Tunnels will drop out for no apparant reason and stop working, they need a lot of intervention to get them going again it seems, has been on IKE v1 and v2 and to different ASA's different IOS versions etc.

 

We dont use Fortinet kit so cant comment on those.

CGRE
Here to help

Ok on doing some more work on this it appears the MX IPSEC tunnels do not like it if they dont have constant traffic, not sure what the timeout is but if they have no traffic passing the tunnel drops and you need a ping or something similar to get the tunnel up and working again, they dont stay up on their own, we're seeing this on multiple MX models in different customer estates.

 

Does anyone know what the timeout is for the IPSEC drop out?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels