Having an issue with a meraki and an ASA site to site. When i first built tunnel it showed up, both green on meraki and showing MM_active in the crypto sa on the ASA. But Still can't talk to devices behind the asa. And periodically when I check asa vpn status it shows red, but when i try to ping something behind the asa i get 100% loss but the tunnel will then show green. Not sure if its an issue with meraki and using summarized subnets or something else. Anyone have experience with this?
Solved! Go to solution.
Your interesting subnets on the ASA need to exactly match the interesting subnets on the MX. If you need to restrict access across the tunnel, use the VPN firewall rules. Please note that you can only set VPN firewall rules for outbound traffic.
You might find https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Cisco_ASA_Site-to-site_VPN_Setup interesting.
That "no tunnel, ping 100% loss, then tunnel comes up" could be the tunnel dying due to lack of traffic. You send traffic, tunnel comes up. What's the status on the ASA when the tunnel shows as down on the MX side?
Your interesting subnets on the ASA need to exactly match the interesting subnets on the MX. If you need to restrict access across the tunnel, use the VPN firewall rules. Please note that you can only set VPN firewall rules for outbound traffic.
You might find https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Cisco_ASA_Site-to-site_VPN_Setup interesting.
That "no tunnel, ping 100% loss, then tunnel comes up" could be the tunnel dying due to lack of traffic. You send traffic, tunnel comes up. What's the status on the ASA when the tunnel shows as down on the MX side?
Yes this is the doc I used. Currently there are a bunch of asa to asa site to sites so there was already an object group created for the asa subsets but they are summarized in a /15. Like the 10.0.0.0/15 actually has 10.0.3.0/24 and 10.0.4.0/24.
Is routing setup correctly? As in, the devices behind the MX have the MX as next hop for the subnet at the other end of the tunnel or as the default gateway? Inversely on the ASA?
the meraki is the DFGW for all the subnets of the meraki side. The meraki should make those uplink decisions correct? I'm trying to test right from the meraki mx pinging a host behind asa
with Meraki AutoVPN, routing would be set up automatically for you. Here, you‘ll have to do it manually.
The question is: have you set up a static route on both ASA as well as MX pointing towards themselves for the connected subnets?
Oh, so on the mx, those subnets should have static routes? heres the routing table
Yes the ASA is the default for its connected subnets. I could post that config if it would help
How does the ASA reach the prefixes behind the MX? Could you post a „show route SUBNETBEHINDMX“?
hmm says subnet not in table.,..i did see that the ASA subnets GW is a catalyst 4500.
What happens if you configure the ASA to route the subnet(s) behind the MX to the MX?
It looks like i can't even ping the next hop that is the mx...like 10.60.0.1
I used the wizard for the site to site in adsm...would it do it for me?
i can see ACls and crypto map in the asa with a source of the asa subnets and destination of the MX subnets with ip service set to permit.