Issues with comm from client VPN network to non-Meraki s2s peer

rabusiak
Getting noticed

Issues with comm from client VPN network to non-Meraki s2s peer

Hi Guys,

Maybe you will have idea what is wrong with my tunnel?

I have Meraki vMX in Azure. There is also Client VPN configured with subnet 10.10.10.0/24. All my Azure resources are in 10.3.0.0/16 subnet. Then I have ipsec tunnel to non-Meraki peer (some cisco ASA). For almost a year all was working fine, then suddenly I lost comm from client vpn network 10.10.10.0/24 to remote networks behind this non-Meraki peer. I did not change config, remote side neither.

Tunnel is up and I have no issues at all with comm from 10.3.0.0/16 to remote networks.
I'm in contact with Meraki support - they are saying "traffic from 10.10.10.0/24 is routed through tunnel correctly".
Support from remote site is saying "we don't see any traffic from 10.10.10.0/24 network going towards us through the tunnel and because of that SA between this network and our network is not building up".
Which makes sense as if they initiate traffic from their subnet to my 10.10.10.0/24 subnet SA is building up and we have comm for about an hour until its terminated:
Connection terminated for peer [my public ip]. Reason: IPSec SA Idle Timeout Remote Proxy [remote subnet], Local Proxy 10.10.10.0

Where is the issue and who is lying? ;D

3 Replies 3
JacoboLevy
Getting noticed

I have a Dumb question Are all the needed subnets on the allowed list on each Firewall site-to-site configuration? (you have Azure subnet 10.3.0.0/16, then your local subnet x.x.x.x and the Client VPN 10.10.10.0/24) you should have all those IPs on the allow on each point so they can accept that traffic.

rabusiak
Getting noticed

Yes, everything is added/allowed on Meraki side and support guys from other end gave me config dump from their ASA and it also looks just fine.

rabusiak
Getting noticed

Maybe client VPN network is now treated differently while passing it thorough tunnel? It's being NATed somehow? 

Get notified when there are additional replies to this discussion.