Meraki

Craig_Tompkins · ‎Aug 2 2022

We have 40 networks each using site to site VPN. Of those 40, 2 are hubs (primary and DR datacenters). Because of some BGP complexity we have the other 38 sites doing site to site VPN to just 1 hub. If we ever fail to DR, I'll have to change the hub in use on the 38 spoke networks.

I have 1 network using a Z3 that is behind Comcast cable modem at the President's house. It works fine most of the time. Then all of a sudden we'll get alert that VPN is down and the status page says it's behind NAT Type Unfriendly. The fix is to either reboot the Z3 multiple times or if that does not fix it, we have to call Meraki and ask them to change to registry. Changing the registry always fixes the issue....once we can convince the tech to do so by showing them 3 - 5 past cases where this has fixed the problem.

If I add the DR site as a 2nd hub, it comes online. Because of the BGP routing mentioned above I don't keep the 2nd hub online, I just brought it online as a test.

Does anyone have any suggestions? It's getting very tiresome having to call Meraki twice a month to get the registry changed.

PhilipDAth · ‎Aug 2 2022

If you can get a static IP address, create a permanent port forward to the Z3 (configure manual NAT traversal in AutoVPN), and then it will be able to self-heal.

View solution in original post

PhilipDAth · ‎Aug 2 2022

If you can get a static IP address, create a permanent port forward to the Z3 (configure manual NAT traversal in AutoVPN), and then it will be able to self-heal.

Craig_Tompkins · ‎Aug 2 2022

Thanks for the info. Do we have to setup port forwarding on the cable modem? I notice if I change the radio button to Manual it asks for a port. How do we determine that? Or is it exactly that - I do port forwarding on the cable modem of a port that I pick, then tell the Meraki what that port is?

Assuming that's it, I assume I would not have to do a static IP, but SHOULD do a static IP because if the users home IP ever changed it would break. And to be clear I would try to do so, but don't know how fast Comcast will be in doing so.

PhilipDAth · ‎Aug 2 2022

>Do we have to setup port forwarding on the cable modem?

Yes.

>I notice if I change the radio button to Manual it asks for a port. How do we determine that?

It's the same as the port you choose to forward from the cable modem. You also have to enter the static IP address that the cable modem gets.

Craig_Tompkins · ‎Aug 2 2022

I fond my answer in the documentation and will give this a try. Putting that info here to help future Google searches and I'll update our results when we have them.

Manual: Port forwarding: If the Automatic option does not work, you can use this option. When Manual: Port forwarding is enabled, Meraki VPN peers contact the MX-Z device using the specified public IP address and UDP port number. You will need to configure the upstream firewall to forward all incoming traffic on that UDP port to the IP address of the MX-Z device.
Make sure the port number you have chosen is not already used by another service. For example, do not use port 500 or 4500 as these are used for Client VPN and 3rd party VPN peer communication.

Craig_Tompkins · ‎Aug 8 2022

As a followup - We did the port forwarding of port 55555 on the cable modem and then assigned that on the Manual NAT Traslation on the Meraki and it's working. Of note, Comcast would not let us sign up for a static IP, so we do understand that should the public IP of the cable modem change, this location will go down and we'll have to update the Manual settings.

Meraki

Community

Intermittent NAT type unfriendly

Intermittent NAT type unfriendly