MX 16.15 - IPSEC issues

888network
Just browsing

MX 16.15 - IPSEC issues

Hello community 🙂

I had an incident this weekend after one of my sites with MX250 got upgraded to MX 16.15. IPSEC with Non-meraki peers (in my case PaloAlto) was no longer working. I downgraded to previous version and connectivity was restored.

Looking at the 16.15 change log and known issues there is no mention about the problem I encountered.

Just want to know if anyone else hit this bug and if Meraki is aware ?

14 REPLIES 14
Ryan_Miles
Meraki Employee
Meraki Employee

what was the previous version?

MX 15.44. Not sure if it matters but I'm running Active\Spare configuration at that site and the peer IP on the other side was set to virtual IP of the Meraki MX250

PhilipDAth
Kind of a big deal
Kind of a big deal

I ran into a similar issue where after the upgrade it broke client VPN (which uses the same IPSec sub-system).  In my case, I figured out it was related to NO-NAT being used.  When I turned this feature off it worked, when turned on it did not.

 

Are you using NO-NAT mode by chance?

 

 

ps. 16.14 was the prior version for me.

I don't see any NO-NAT mode available for configuration. It is running in Routed mode.

AlexP
Meraki Employee
Meraki Employee

Do you happen to be using VRRP? If so, an issue was reported last week involving the IPsec process not functioning properly after a failover, and sometimes on startup as well.

 

If so, we already have a patch for it in internal testing, but in the mean time, the scope of the issue has been confirmed to not impact 16.11 if you still want to use any functionality in the new release track.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Do you happen to be using VRRP?

 

In my case, yes.  It is a warm spare pair.

Interesting that you bring up it breaking Client VPN, because that was not part of our scope on the issue I described (although you're correct that they share the same internal process).

ww
Kind of a big deal
Kind of a big deal

Why is there no full bug /know issues list for the public?

AlexP
Meraki Employee
Meraki Employee

Much though I would like to, it's not my place to comment on this unfortunately.

Yes, warm spare pair

uetkecherson
New here

We are seeing the same. Last night our two MXs upgraded from 15.43 to 16.15, and all VPN connectivity to non-Meraki peers (both Fortinet and Cisco ASA) refused to come up. We're using IKEv1 and supported algorithms. We attempted rebooting the appliances, as well as manually renegotiating the VPN on the remote end; nothing worked so we ultimately rolled back to 15.43. I called support this morning and the rep was unaware of any widespread issues.

ShariqM
New here

Any answers to this issue? Sadly my company went through the same situation where the MX device upgraded to 16.15. Had to downgrade to get my connections working again. Nothing worse when it is during deadlines for teams and they aren't able to access the resources they need. Spoke to a rep while I still had the 16.15 version installed mentioning it wasn't on their end and it was on the clients end. Which that didn't make sense one bit as it was working perfectly fine with the 15.43 version. Hoping someone can shed some light with this new version as I am skeptical about moving up to the 16.0 code the start of next year.

AlexP
Meraki Employee
Meraki Employee

FWIW, there have been no significant changes to the IPsec process between 15 and 16, so there's not likely much else anyone will be able to provide without some evidence as to what was going on, and a Support case is needed for that.

marco_mendonca
Comes here often

Hello 888network,

I had the same issue and I solved by performing the following:

 

Under Security & SD-Wan > Configure > Site-to-Site VPN

- Go to VPN settings

  1. Find the local networks you want to export (encrypt) through the tunnel 

  2. Set the VPN mode to Disable > Save

  3. Set the VPN mode to Enable > Save

This should trigger the traffic flow and the tunnel should come up.

 

Regards,

Marco

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels