MX65 VPN connection issue

Solved
GergelyK
Getting noticed

MX65 VPN connection issue

Hello Everyone,

 

I'm writing to the forum as well, so maybe someone already see this kind of behaviour with their MX65.

I'm working for a company who has normal xDSL internet lines all around the globe using Meraki VPN connections between them.

We have 2 WAN interface activated (WAN1 and WAN2). Today our customer noticed that in one of the region they could see that the traffic failed over to WAN2 while the WAN1 was still active.

 

I've checked the Traffic shaping and indeed the WAN1 is the Primary. It is visible that the WAN1 is up, but for some reason when checking the VPN status, the routing decesion was pointed to the WAN2 due to "Only uplink", while the WAN1 was still up.

The VPN Registry said the following error message:"Disconnected. This security appliance is unable to connect to any VPN registries using outbound UDP port 9350."

 

I've contacted our ISP to confirm what is happening on these circuits. They confirmed that there is no block on port level on these circuits.

 

The interesting thing is that if you restart the MX65 on one of the affected site, after the reboot it will build up the connection without any issue. So I guess this will be some kind of bug.

Does any of you encounter the same?

 

I've already contacted Meraki TAC for further checking why is this happening as this was on multiple sites. But I'm wondering if this is something specific for us, or do you guys also see similar things?

 

Cheers,
Greg

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Some routers have bad UDP NAT code in them, and expire the sessions out quickly - causing connectivity issues.

 

Is the same kind of DSL router being used for WAN1 and WAN2?  If they are different, I bet the one on WAN1 has an issue.

 

Is their any firmware upgrades available for the DSL router connected to WAN1?

View solution in original post

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Some routers have bad UDP NAT code in them, and expire the sessions out quickly - causing connectivity issues.

 

Is the same kind of DSL router being used for WAN1 and WAN2?  If they are different, I bet the one on WAN1 has an issue.

 

Is their any firmware upgrades available for the DSL router connected to WAN1?

Hi Phil,

Thanks for the fast reply.
Nope they are 2 different NTU. One of them is usually a Technicolor and the other one is a Netgear.

I haven't checked with the provider for firmware update on those devices. I'll check with them, as this is their device.

Do you not thing that this can be an issue with the Meraki itself? We have similar sites with the same equipment which are running fine.

Cheers,
Greg
PhilipDAth
Kind of a big deal
Kind of a big deal

It is nearly always NAT bugs on the DSL router.  It is unlikely to be the MX.

Thanks I'll check on it with the provider. I'll keep this one updated.
PhilipDAth
Kind of a big deal
Kind of a big deal

Service provider NAT can also cause issues.  Getting a static IP address on the DSL will normally solve this.

Hello Everyone,

 

Well this issue just dissipated. I mean the Meraki TAC did not see any issue, and they requested packet captures, but since after restart the problem went away I couldn't give them one.

 

Provider said that they are up to date with their Firmware, so no luck there either.

 

I guess if next time happens again I'll make a capture and we will see what happens 🙂

 

Get notified when there are additional replies to this discussion.