Meraki

Community

MX 95 to ASAv Site to Site

hoss82
Comes here often
7 hours ago
7 hours ago

MX 95 to ASAv Site to Site

I am working with a client that has Meraki MXs at each of their 5 sites and each site has a S2S back to our datacenter. Every site seems to be functioning fine except for their main site. The tunnel went down earlier today and came back up but all subnets weren't reachable and I had to initiate traffic from the servers at the datacenter to bring the SAs back up. All the sites are configured the same for VPN tunnels. Phase 1 we are using IKEv1, 3DES, SHA1 and Phase 2 we are using AES256 SHA1 no PFS on both sides. We are also using a lifetime of 28800 on both sides. We have confirmed both sides match. I have seen in some Meraki forums that Meraki had to disable NAT-T on the backend and lifetimes also had to be adjusted. The Meraki is running 18.211.2 and the ASAv is running 9.12.4.67. I am not sure where to go next and just want to put this issues to bed. Any help would be greatly appreciated.

Labels:
0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
7 hours ago
7 hours ago

Check it out.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Cisco_ASA_Site-to-site_VPN_Setup

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Mloraditch
Head in the Cloud
6 hours ago
6 hours ago

So all 5 sites had their tunnels go down today and none came back up on their own until you initiate traffic from the datacenter to each site to bring the tunnels back up?

Now that things are working it's going to be hard to know for certain what happened. Do you know why the tunnels went down? ISP outage? Something else?

I would recommend updating both device types. 18.211.5 for MX has several fixes for vpn related issues and ASA 9.12 is no longer getting maintenance fixes for over a year. https://www.cisco.com/c/en/us/products/collateral/security/asa-firepower-services/adaptive-security-...

From a future planning  perspective, in the long term, I'd recommend getting an MX in concentrator mode for your Datacenter. It will vastly simplify things in these sorts of scenarios.

 

 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Mloraditch
hoss82
Comes here often
6 hours ago
6 hours ago

No, just the one main site from the ASAv to the MX95 goes down. I was just stating they have 5 sites and only one goes down. Below is the message from the ASA.

 

Feb 28 2025 07:47:22: %ASA-3-713123: Group = 50.x.x.x, IP = 50.x.x.x, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
 
I did find this forum from a few years ago saying they were having issues between different vendors and it was a combination of lifetime settings and disabling NAT-T
 
 
 
0 Kudos
In response to hoss82
Mloraditch
Head in the Cloud
6 hours ago
6 hours ago

If it's a single site that sort of weird it works and sometimes doesn't issue can sometimes be ISP related. I usually see it on coax services. I've had to reboot modems at times for Comcast, Spectrum, and maybe others and there is not much you can do to prevent it.

As to alternative configs that might help, perhaps open a TAC and Meraki support case and ask them to collab on it if no one else is able to provide any specific suggestion. The settings you are mentioning are definitely tweaks I've seen and heard of, I just don't deal with it frequently enough to have a specific idea.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.