Meraki

mel-astrosat · ‎Oct 3 2018

Hi.

I am new to the Meraki Community having just installed a Meraki MX64 Security Device. I am experiencing problems with the single site to site VPN that I set up involving a non-meraki device at the other end. I am getting continuous reports in the Events Log suggesting that the ipsec process is failing at phase 1 (see below screen shot)

Oct 3 18:23:02	Non-Meraki / Client VPN negotiation	msg: phase1 negotiation failed.
Oct 3 18:23:02	Non-Meraki / Client VPN negotiation	msg: failed to pre-process ph1 packet (side: 1, status 1).
Oct 3 18:23:02	Non-Meraki / Client VPN negotiation	msg: failed to get valid proposal.
Oct 3 18:23:02	Non-Meraki / Client VPN negotiation	msg: no suitable proposal found.
Oct 3 18:22:20	Non-Meraki / Client VPN negotiation	msg: phase1 negotiation failed.
Oct 3 18:22:20	Non-Meraki / Client VPN negotiation	msg: failed to pre-process ph1 packet (side: 1, status 1).
Oct 3 18:22:20	Non-Meraki / Client VPN negotiation	msg: failed to get valid proposal.
Oct 3 18:22:20	Non-Meraki / Client VPN negotiation	msg: no suitable proposal found.
Oct 3 18:21:57	Non-Meraki / Client VPN negotiation	msg: phase1 negotiation failed.
Oct 3 18:21:57	Non-Meraki / Client VPN negotiation	msg: failed to pre-process ph1 packet (side: 1, status 1).
Oct 3 18:21:57	Non-Meraki / Client VPN negotiation	msg: failed to get valid proposal.
Oct 3 18:21:57	Non-Meraki / Client VPN negotiation	msg: no suitable proposal found.
Oct 3 18:21:44	Non-Meraki / Client VPN negotiation	msg: phase1 negotiation failed.
Oct 3 18:21:44	Non-Meraki / Client VPN negotiation	msg: failed to pre-process ph1 packet (side: 1, status 1).
Oct 3 18:21:44	Non-Meraki / Client VPN negotiation

Despite these logs the VPN is successfully passing traffic in both directions.

Another issue is the VPN status does not display any data such as throughput or connectivity. I read an article that described available stats but I could not ascertain if they are only available with auto VPN ie Meraki to Meraki links.

Any help or advice would be greatly appreciated.

PhilipDAth · ‎Oct 3 2018

It suggests there is a mis-match in the crypto parameters for the re-negotiation to keep happening. Check that the subnets match up exactly on both sides.

mel-astrosat · ‎Oct 5 2018

Hi Philip. It turned out to be a mis-match on Phase 1 lifetime settings. The MX end was set at 3600 seconds and the distant end was set at 28800 seconds.

Now that this problem has been resolved I am still at a loss on 2 points.

1. I get very little info from the VPN monitor facility, only a green dot depicting a healthy VPN. There are no stats or other info. Does that info only come with Meraki Auto VPNs ie a Meraki device at both ends. I have glanced at some lierature that refers to VPN registers but again I think this involves Meraki - Meraki VPNs.

2. Having set up a client VPN link for working from home I am trying to get access to the site to site VPN.

I initially set up a firewall rule to allow the VPN subnet access to the main subnet. That allowed my PC at home access to every resource within our main office. When I tried adding the subnet at the distant end of the site to site VPN I fail to get access to the resources at the VPN distant end

First setting VPN subnet 192.168.101.0/24 ------------- Main Subnet 192.168.100.0/24 OK

Second Setting 192.168.101.0/24 ------------ 192.168.100.0/24, 172.16.0.0/12 (added distant subnet) : Can still see main subnet but no access to distant subnet.

Any advice ?

Meraki

Community

Non Meraki Peer Site to Site VPN : Data & Stats

Non Meraki Peer Site to Site VPN : Data & Stats