Meraki MX to Fortigate IPSEC

Jason_Reed
Here to help

Meraki MX to Fortigate IPSEC

We are in the process of testing the Meraki MX68 and Teleworker security appliances as SOHO endpoints and we have noticed that IPSEC tunnels back to our Fortigate 200E running 6.04 are speratic at at best regardless of which Meraki MX we use. Has anyone been able to get a stable MX to Fortigate site to site VPN going that doesn't fall apart under load and start randomly dropping packets?

6 REPLIES 6
MarcP
Kind of a big deal

Yes, hundrets of MX65 using Dial-UP IPSec Tunnels to a Fortigate 1100D, running very good.

 

You mentioned dial-up VPNs. We are using P2P IPSEC. We are getting the same behavior across carries and Fortigate and Meraki modles. We have an MX68 going to a Fortigate 60e and a fortiwifi 60D. We also have a Teleworker Meraki doing the same. The Maraki's have run the latest firmware and just for testing we even updated to the beta 15.12 I believe is the current Beta. All Fortigates are running 6.04 or 6.05.. Does anyone else have success at these firmware levels running IPSEC under small loads the traffic drops.

 

Thanks!!!

Anybody out here doing a VPN to a Fortigate running some of the latter firmware in the version 6.x range? We are seeing our unstable VPN on Fortigates running 6.x. Older firmware looks to be working normally. We think this might be an issue on the Meraki side.

 

Thanks for your help.

Happiman
Building a reputation

I don't have a L2L vpn between fortigate and meraki but I do have fortigate for my edge firewall.

 

could you share your debug on VPN?

 

diagnose debug app ike 255
diagnose debug enable

https://cookbook.fortinet.com/ipsec-vpn-troubleshooting/

 

 

Can you try and update one of your Fortigates to 6.x and see if you can get a tunnel to stay up with sustained traffic? We have access to many Fortigates and we have replicated the issue on all units. Ours are mostly Fortigate 60D and 60E units. I am able to get a tunnel up on a very old Fortigate 110c to an MX68 running 4.x firmware on the Fortigate. I'm using the default setting in the Meraki for the VPN connections. 

 

MerakiDefault Site to Site.PNG

Happiman
Building a reputation

We will have to see your debug to identify which phase is breaking up.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels