Issues with comm from client VPN network to non-Meraki s2s peer

Getting noticed

Issues with comm from client VPN network to non-Meraki s2s peer

Hi Guys,

Maybe you will have idea what is wrong with my tunnel?

I have Meraki vMX in Azure. There is also Client VPN configured with subnet All my Azure resources are in subnet. Then I have ipsec tunnel to non-Meraki peer (some cisco ASA). For almost a year all was working fine, then suddenly I lost comm from client vpn network to remote networks behind this non-Meraki peer. I did not change config, remote side neither.

Tunnel is up and I have no issues at all with comm from to remote networks.
I'm in contact with Meraki support - they are saying "traffic from is routed through tunnel correctly".
Support from remote site is saying "we don't see any traffic from network going towards us through the tunnel and because of that SA between this network and our network is not building up".
Which makes sense as if they initiate traffic from their subnet to my subnet SA is building up and we have comm for about an hour until its terminated:
Connection terminated for peer [my public ip]. Reason: IPSec SA Idle Timeout Remote Proxy [remote subnet], Local Proxy

Where is the issue and who is lying? ;D

3 Replies 3
Getting noticed

I have a Dumb question Are all the needed subnets on the allowed list on each Firewall site-to-site configuration? (you have Azure subnet, then your local subnet x.x.x.x and the Client VPN you should have all those IPs on the allow on each point so they can accept that traffic.

Yes, everything is added/allowed on Meraki side and support guys from other end gave me config dump from their ASA and it also looks just fine.

Getting noticed

Maybe client VPN network is now treated differently while passing it thorough tunnel? It's being NATed somehow? 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.