Meraki Cloud Connectivity & MX site to site tunnels

Solved
FlyingFrames
Building a reputation

Meraki Cloud Connectivity & MX site to site tunnels

If Meraki cloud connectivity goes down, not due to the internet but some other cloud issue.

 

Will the site to site tunnels still stay up forever?

Or will they timeout after sometime and request Meraki cloud reachability to re-key them selves?

 

It says the below in the doc:

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

 

"Once the information is shared with the MX about its peers, a VPN tunnel is formed MX to MX. The Meraki cloud already knows the subnet information for each MX, and now the IP addresses to use for tunnel creation. The cloud pushes a key to the MXs in their configuration which is used to establish an AES encrypted IPsec-like tunnel."

 

Hence its not clear from the documentation!

1 Accepted Solution
Brash
Kind of a big deal
Kind of a big deal

The same document also says the following

 

"Expected behavior. If the MX losses connectivity to the VPN registry, peer information gets purged over time but not immediately. Connectivity to the registry matters when a node changes its contact information after losing connectivity to the VPN registry.

 

Both the hub and spoke will still be able to form the tunnel if the contact information remains the same, and they lost registry connectivity. Peer information will purge after a few hours causing the tunnel to be marked down."

 

It sounds like there is a timeout where the peer info gets purged and connectivity to the VPN registry is required for the tunnel to remain established. That said, I've never seen this occur. 

For the exact length of time the tunnels remain up for, you'd probably need to ask Meraki support.

View solution in original post

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

@FlyingFrames  Usually when there is a problem on the dashboard they send an email informing about the problem and also informing us not to worry that the client's network will continue to work normally.

But I'm not sure if there is documentation with this information.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
JJ22
Just browsing

Today, we have begun seeing issues with some of our networks not connecting to the cloud server. The users get the normal splash page but once they hit connect they get an error message saying that they cant connect to the server. This started out of the blue today. 

alemabrahao
Kind of a big deal
Kind of a big deal

What are the MXes model and version? 

 

Security appliance firmware versions MX 16.16.1 changelog
Important notice

While Meraki appliances have traditionally relied on UDP port 7351 for cloud communication and TCP ports 80 and 443 for backup communications, with MX 16 we are beginning a transition to using TCP port 443 as the primary means for cloud connectivity. In order to ensure proper connectivity to the Meraki cloud after this upgrade, please ensure that traffic using TCP port 443 between 209.206.48.0/20 is allowed through any firewalls that may be deployed upstream of your Meraki appliances.
HTTP proxy, which allows default management traffic from MX appliances to be sent through a proxy, is deprecated on MX 16 and higher firmware versions.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Check this post:

 

https://community.meraki.com/t5/Meraki-Service-Notices/Dashboard-issues-affecting-device-status-and-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brash
Kind of a big deal
Kind of a big deal

The same document also says the following

 

"Expected behavior. If the MX losses connectivity to the VPN registry, peer information gets purged over time but not immediately. Connectivity to the registry matters when a node changes its contact information after losing connectivity to the VPN registry.

 

Both the hub and spoke will still be able to form the tunnel if the contact information remains the same, and they lost registry connectivity. Peer information will purge after a few hours causing the tunnel to be marked down."

 

It sounds like there is a timeout where the peer info gets purged and connectivity to the VPN registry is required for the tunnel to remain established. That said, I've never seen this occur. 

For the exact length of time the tunnels remain up for, you'd probably need to ask Meraki support.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels