Meraki

Community

MX Non-Meraki VPN Shows Down but is Working

Solved
DMaher803
Conversationalist
‎Jan 21 2021 9:51 AM
‎Jan 21 2021 9:51 AM

MX Non-Meraki VPN Shows Down but is Working

Hello everyone!

 

This may sound weird, but I have a site-to-site VPN with a Fortigate firewall that my ISP manages, and the logs and status screen show the VPN as disconnected but it's passing traffic just fine both ways. If I were to believe the MX event log then it never passes phase 1 negotiations, but my ISP said their Fortigate shows it's connected, and like I said it's passing traffic fine and not dropping. Is there something misconfigured that could cause this issue? I mean, it's working so that's good. My concern is that the logs are filled to the brim with "msg: phase1 negotiation failed due to time up" but if it's passing traffic I would assume that's incorrect and I'm a little concerned it might break in the future. I'm just curious if anyone here has seen this or know what might cause it? Thank you for your time!

0 Kudos
1 Accepted Solution
Bruce
Kind of a big deal
‎Jan 21 2021 11:58 AM
‎Jan 21 2021 11:58 AM

That seems odd. If the MX is reporting that the setup of the VPN didn’t succeed then I’d tend to think that it didn’t succeed. I’d want to do a packet capture on the WAN side of the MX to confirm my packets were being encrypted and not sent in the clear (they may just be being NATed).

 

If it really is being encrypted then I’d open a ticket with support.

View solution in original post

4 Replies 4
Bruce
Kind of a big deal
‎Jan 21 2021 11:58 AM
‎Jan 21 2021 11:58 AM

That seems odd. If the MX is reporting that the setup of the VPN didn’t succeed then I’d tend to think that it didn’t succeed. I’d want to do a packet capture on the WAN side of the MX to confirm my packets were being encrypted and not sent in the clear (they may just be being NATed).

 

If it really is being encrypted then I’d open a ticket with support.

In response to Bruce
oldroo
Getting noticed
‎Jan 21 2021 4:37 PM
‎Jan 21 2021 4:37 PM

have you tried clearing the security associations on both ends.

 

I have seen this before in cross vendor environments, where one end still thinks the VPN is active and the other end doesnt.

In response to Bruce
DMaher803
Conversationalist
‎Jan 22 2021 12:30 PM
‎Jan 22 2021 12:30 PM

Good idea. I'll go ahead and do that.

0 Kudos
In response to Bruce
DMaher803
Conversationalist
‎Jan 22 2021 1:35 PM
‎Jan 22 2021 1:35 PM

I'm seeing a lot of ESP and ISAKMP traffic on the WAN side and when I capture on the LAN side it shows as encrypted. I'm going to open a ticket. Thanks for your help!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.