Meraki

Community

IPsec NAT-T stopped working after upgrading to 19.2.7

IT-Infra
Just browsing
Wednesday
Wednesday

IPsec NAT-T stopped working after upgrading to 19.2.7

Hi there,

 

after upgrading to 19.2.7 one of our MX, that is behind ISP's NAT, stopped connecting to 3d party (2 Cisco ISR 4331 connected to different ISPs) IPsec VPN. ISR debug showed that phase 1 went up as well as phase 2, but MX sent DELETE request immediately after

.Feb 25 10:00:41.854: IKEv2:(SESSION ID = 159143,SA ID = 3):IKEV2 SA created; inserting SA into database. SA lifetime timer (28800 sec) started
.Feb 25 10:00:41.855: IKEv2:(SESSION ID = 159143,SA ID = 3😞Session with IKE ID PAIR (192.168.15.150, b.b.b.b) is UP
.Feb 25 10:00:41.855: IKEv2:(SESSION ID = 159143,SA ID = 3):Load IPSEC key material
.Feb 25 10:00:41.867: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
.Feb 25 10:00:41.869: IKEv2:(SESSION ID = 159143,SA ID = 3):Checking for duplicate IKEv2 SA
.Feb 25 10:00:41.870: IKEv2:(SESSION ID = 159143,SA ID = 3):No duplicate IKEv2 SA found
.Feb 25 10:00:41.870: IKEv2:(SESSION ID = 159143,SA ID = 3):Starting timer (8 sec) to delete negotiation context

.Feb 25 10:00:41.909: IKEv2:(SESSION ID = 159143,SA ID = 3):Received Packet [From a.a.a.a:49046/To b.b.b.b:4500/VRF i0:f0]
Initiator SPI : C4C9AF3132F5CF14 - Responder SPI : 0B717D003BAAC05E Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
DELETE

.Feb 25 10:00:41.910: IKEv2:(SESSION ID = 159143,SA ID = 3):Building packet for encryption.
Payload contents:
DELETE

.Feb 25 10:00:41.911: IKEv2:(SESSION ID = 159143,SA ID = 3):Sending Packet [To a.a.a.a:49046/From b.b.b.b:4500/VRF i0:f0]
Initiator SPI : C4C9AF3132F5CF14 - Responder SPI : 0B717D003BAAC05E Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

.Feb 25 10:00:41.912: IKEv2:(SESSION ID = 159143,SA ID = 3):Process delete request from peer
.Feb 25 10:00:41.912: IKEv2:(SESSION ID = 159143,SA ID = 3):Processing DELETE INFO message for IPsec SA [SPI: 0xC315EF2A]
.Feb 25 10:00:41.912: IKEv2:(SESSION ID = 159143,SA ID = 3):Check for existing active SA
.Feb 25 10:00:41.913: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
 
a.a.a.a is MX external (translated) IP, b.b.b.b is ISR IP.
After we reverted the fw to 19.11.1 tunnels established w/o any problem. Other MXs, which aren't behind NAT, don't have that problem, that's why I think it's related to NAT-T.
 
Best regards,
Vladimir
Labels:
0 Kudos
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

I suggest you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

I recall that some older cryptos were deprecated.

 

Make sure you aren't using something old like DES, 3DES, SHA1, MD5, etc.

In response to PhilipDAth
IT-Infra
Just browsing
Thursday
Thursday

Hi Philip,

 

of course I've checked that. Everything was ok with proposals, that means crypto settings matched on both sides, otherwise I would get a kind of "no proposal chosen" error

 

Best regards,

Vladimir

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.