Site-to-site VPN goes down permanently whenever the PUBLIC IP port number changes on an upstream firewall from the MX. I expected the cloud registry to update the port change within minutes, but the RED periods in the graph represent HOURS or DAYS.
during the green periods, SDWAN is up while the public IP port matches the local port. but something happened on the upstream firewall...port changed, the registry gets the update and still calls it a 'friendly' NAT type in the screenshots below, but the VPN wont come up.
MX1
MX2
An interesting note is the port on MX2 is outside the 32768-61000 scope listed in Meraki documentation.
To contact the VPN registry:
- Source UDP port range 32768-61000
- Destination UDP port 9350 or UDP port 9351
For IPsec tunneling:
- Source UDP port range 32768-61000
- Destination UDP port range 32768-61000
does the above rule apply only for the LOCAL (MX) only? or must the upstream firewall also reserve port ranges 32768-61000?
Anyone have similar issues or can explain why the VPN won't re-establish after a dynamic port change?