Loss of connectivity between 2 site to site vpn links

SimonReach
Getting noticed

Loss of connectivity between 2 site to site vpn links

We're slowly moving all of our sites over to MX boxes and SDWAN, away from the much more expensive MPLS network, and we had a slight issue this morning with one of the sites.

 

We've got around 5 sites on the Site to Site VPN, configured as Hub, and there was a loss of connectivity between 2 of those sites?  As an example, site 1 and site 2 lost connection with each other but site 1 could talk to site 3, 4, and 5, site 2 could also talk to site 3, 4, and 5.  To resolve the issue, we rebooted the MX at site 2.

 

Any idea why this happened?

4 Replies 4
DarrenOC
Kind of a big deal
Kind of a big deal

Does your event log show anything for the time period where you lost connectivity?

 

Whats the status of your site to site VPNs now:

 

Organization > Monitor > VPN Status

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

There are quite a few 'VPN Tunnel connectivity change' events that happened on Friday afternoon at 12:56pm.  Lots of 'connectivity false' and then 'connectivity true' for the different sites, apart from the main site 1, that didn't come up until the restart this morning.

 

All site are reporting fine now in the VPN Status.

Next time, while it's happening, run some pcaps on the Internet interface of the MXs at each end;   see what traffic is being generated and received by each.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Packet_Capture_Overvi...

 

PhilipDAth
Kind of a big deal
Kind of a big deal

The most reliable way to deploy it is where the public IP address is directly on each MX.

 

If you put it behind something else (like an ISP router) that is doing NAT it usually works fairly well - but you are reliant on the NAT implementation on that device.  You tend to experience more reliability issues with this kind of configuration.

Get notified when there are additional replies to this discussion.