Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX250 does not send any packets for establishing VPN to a non-Meraki device

feiyang
Comes here often
‎Jul 13 2022 9:01 AM
‎Jul 13 2022 9:01 AM

MX250 does not send any packets for establishing VPN to a non-Meraki device

Hello,

 

I configured a site-to-site VPN peering to a non-Meraki firewall device, with below parameters:

IKEv2

Phase 1 encryption: AES256

Phase 1 authentication: SHA256

Phase 1 Pseudo-random Function: SHA256

Diffie-Hellman group: 14

Lifetime (seconds): 28800

 

Phase 2 encryption: AES256

Phase 2 Authentication: SHA256

PFS group: 14

Lifetime (seconds): 28800

 

I also make sure the pre shared key is correctly entered at both ends. 

 

However, the tunnel does not form up. I did packet capturing on the MX250 WAN1 side, which is my primary WAN, and do not see a single packet goes out to the remote peer's IP. I tried to change the parameters, re-configure everything, to trigger the VPN negotiation packets, but do not get a single packet out to the remote peer. 

 

I do have another non-Meraki VPN peer configured on the same MX250 to compare, and I can capture packets destined to that peer..

 

So my question is why MX250 does not send any packets to the first non-Meraki peer at all? Any thoughts?

 

Thanks,

Fei.

Labels:
0 Kudos
Subscribe
5 Replies 5
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 13 2022 10:07 AM
‎Jul 13 2022 10:07 AM

Hi ,


Since S2S settings are Org-Wide , have you specified the correct 'Availability' in the NMS2S settings ? : 

 

RaphaelL_0-1657731981209.png

With either a configured 'Tag' on your network or 'All Networks' ( not recommended ). 

 

Also what MX firmware version are you running ?

0 Kudos
Subscribe
feiyang
Comes here often
‎Jul 13 2022 10:17 AM
‎Jul 13 2022 10:17 AM

Yes, I have specified the correct site to have this VPN applied. Firmware is MX 16.16.

 

Also, the non-Meraki peer is a SaaS VPN provider, and my Meraki firewall is in Mexico. I tried to peer with various VPN gateways from the SaaS provider, either in US or in Mexico, and Meraki firewall does not send out any packets.

 

I have similar setup in US, that MX250 firewall in US can establish VPN to the same SaaS VPN provider, and I am able to capture packets from this US MX250 destined to the SaaS VPN provider's gateway, over the Internet interface..

 

I only have one site and one firewall in Mexico thus cannot narrow down if it is a Mexico/ISP related issue or the particular MX250 has issue.. 

0 Kudos
Subscribe
In response to feiyang
RaphaelL
Kind of a big deal
Kind of a big deal
‎Jul 13 2022 10:20 AM
‎Jul 13 2022 10:20 AM

But you should still see in the packet capture the MX sending packets to the peer. They might get dropped by a router from the ISP upstream but that wouldn't change the fact the packets should be seen.

 

Silly question : have you tried to reboot it ? I haven't had the chance to try 16.16 yet.

0 Kudos
Subscribe
In response to RaphaelL
feiyang
Comes here often
‎Jul 13 2022 10:25 AM
‎Jul 13 2022 10:25 AM

I agree, I should at least be able to see some packets coming out of MX WAN interface. This is strange.

 

I have not rebooted the MX yet. I am scheduling MX for it and probably will upgrade to 17.x (whichever the allowed newer code in Meraki dashboard).

 

I will also switch to the secondary ISP as my primary ISP to try out the other ISP as exit.

 

Thanks,

Fei.

0 Kudos
Subscribe
feiyang
Comes here often
‎Jul 20 2022 10:49 AM
‎Jul 20 2022 10:49 AM

Updates: I upgraded the firewall firmware to 17.x and also switched over the ISP in this site. After that, VPN tunnel is up.. I suspect the previous primary ISP blocks IPSec or have a stricter network security (as I cannot ping my public IP either) and caused the issue. 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.