NAT Type 'Friendly' , but Site-to-Site VPN down

Solved
grande_bold
Conversationalist

NAT Type 'Friendly' , but Site-to-Site VPN down

grande_bold_0-1655741264997.pngSite-to-site VPN goes down permanently whenever the PUBLIC IP port number changes on an upstream firewall from the MX.   I expected the cloud registry to update the port change within minutes, but the RED periods in the graph represent HOURS or DAYS. 

 

during the green periods, SDWAN is up while the public IP port matches the local port.  but something happened on the upstream firewall...port changed,  the registry gets the update and still calls it a 'friendly' NAT type in the screenshots below, but the VPN wont come up.   

 

MX1

grande_bold_1-1655741454238.png

MX2

grande_bold_2-1655741850666.png

An interesting note is the port on MX2 is outside the 32768-61000 scope listed in Meraki documentation. 

 

To contact the VPN registry:

  • Source UDP port range 32768-61000
  • Destination UDP port 9350 or UDP port 9351

 

For IPsec tunneling:

  • Source UDP port range 32768-61000
  • Destination UDP port range 32768-61000 

 

does the above rule apply only for the LOCAL (MX) only?  or must the upstream firewall also reserve port ranges 32768-61000?

 

Anyone have similar issues or can explain why the VPN won't re-establish after a dynamic port change?

 

 

 

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

I assume your upstream firewall has a static public IP addres.

 

If this is the case, the most reliable option is to choose a port (say udp/10000) and port forward this to the MX, and enable manual port forwarding for NAT traversal.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NAT_Traversal 

View solution in original post

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

I assume your upstream firewall has a static public IP addres.

 

If this is the case, the most reliable option is to choose a port (say udp/10000) and port forward this to the MX, and enable manual port forwarding for NAT traversal.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NAT_Traversal 

bjbonkowski
Conversationalist

We have seen similar issues with a number of our Z3 to MX AutoVPN tunnels. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels