MX Non-Meraki VPN Shows Down but is Working

Solved
DMaher803
Conversationalist

MX Non-Meraki VPN Shows Down but is Working

Hello everyone!

 

This may sound weird, but I have a site-to-site VPN with a Fortigate firewall that my ISP manages, and the logs and status screen show the VPN as disconnected but it's passing traffic just fine both ways. If I were to believe the MX event log then it never passes phase 1 negotiations, but my ISP said their Fortigate shows it's connected, and like I said it's passing traffic fine and not dropping. Is there something misconfigured that could cause this issue? I mean, it's working so that's good. My concern is that the logs are filled to the brim with "msg: phase1 negotiation failed due to time up" but if it's passing traffic I would assume that's incorrect and I'm a little concerned it might break in the future. I'm just curious if anyone here has seen this or know what might cause it? Thank you for your time!

1 Accepted Solution
Bruce
Kind of a big deal

That seems odd. If the MX is reporting that the setup of the VPN didn’t succeed then I’d tend to think that it didn’t succeed. I’d want to do a packet capture on the WAN side of the MX to confirm my packets were being encrypted and not sent in the clear (they may just be being NATed).

 

If it really is being encrypted then I’d open a ticket with support.

View solution in original post

4 Replies 4
Bruce
Kind of a big deal

That seems odd. If the MX is reporting that the setup of the VPN didn’t succeed then I’d tend to think that it didn’t succeed. I’d want to do a packet capture on the WAN side of the MX to confirm my packets were being encrypted and not sent in the clear (they may just be being NATed).

 

If it really is being encrypted then I’d open a ticket with support.

oldroo
Getting noticed

have you tried clearing the security associations on both ends.

 

I have seen this before in cross vendor environments, where one end still thinks the VPN is active and the other end doesnt.

DMaher803
Conversationalist

Good idea. I'll go ahead and do that.

DMaher803
Conversationalist

I'm seeing a lot of ESP and ISAKMP traffic on the WAN side and when I capture on the LAN side it shows as encrypted. I'm going to open a ticket. Thanks for your help!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels