Hi
I have a MX65 at the office and a MX64 at home, site-to-site vpn used to work. in different organizations
I recently changed my ISP and dont have access to their "home wifi" router so i plug direcly to the MX64 from the Fibre box, i setup the pppoe and everthing is fine and i can get to the internet with no issues.
but when i want to setup s2s vpn it doesnt work, event log below
Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed due to time up. 33739c79299d2b0b:978e8ab8006fc8f0 | ||
Dec 23 11:40:59 | Non-Meraki / Client VPN negotiation | msg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500] | |
Dec 23 11:40:55 | Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed due to time up. 5573bbe361 | |
Dec 23 11:40:05 | Non-Meraki / Client VPN negotiation | msg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500] | |
Dec 23 11:40:01 | Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed due to time up. 2194da0f05a | |
Dec 23 11:39:11 | Non-Meraki / Client VPN negotiation | msg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500] | |
Dec 23 11:39:08 | Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed due to time up. 9f489072a1d2 | |
Dec 23 11:38:17 | Non-Meraki / Client VPN negotiation | msg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500] | |
Dec 23 11:38:13 | Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed due to time up. f562d56a8af | |
Dec 23 11:37:23 | Non-Meraki / Client VPN negotiation | msg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500] | |
Dec 23 11:37:19 | Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed due to time up. 89841dc7d01b | |
Dec 23 11:36:29 | Non-Meraki / Client VPN negotiation | msg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500] |
These logs seem to be from the initiating side. I assume that these are the logs of your MX? We now need to see what the responding side sees and does in turn. What do the logs on the other side show?
Does your MX get a public IP over the PPPoE connection?
Any chance the new provider is blocking port UDP 500 or 4500 outgoing in their firewall?
On the other end, what is the setup: is the MX in your office behind a firewall/NAT? Any chance UDP 500 & 4500 are blocked here (or maybe restricted to certain public IP addresses/ranges)?
the below are from the work MX, not blocking UDP 500 or 4500 as this used to work and nothing has changed this side
Dec 23 13:03:50 | Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed due to time up. a9facc1aed498e23:41588bf9c5010c8e | |
Dec 23 13:03:00 | Non-Meraki / Client VPN negotiation | msg: initiate new phase 1 negotiation: 196.*.*.242[500]<=>102.*.*.107[500] |
the below is from the home mx, i get the public IP over PPPoE connection
Dec 23 13:03:49 | Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed due to time up. a9facc1aed498e23:41588bf9c5010c8e | |
Dec 23 13:02:59 | Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed due to time up. 4b91c4ff5ee2ab8c:0ec81cd8388673d4 | |
Dec 23 13:02:04 | Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed due to time up. 54e925e7dae2611b:3f1973c0fb40bdb8 | |
Dec 23 13:00:55 | Non-Meraki / Client VPN negotiation | msg: phase1 negotiation failed. | |
Dec 23 13:00:55 | Non-Meraki / Client VPN negotiation | msg: failed to pre-process ph1 packet (side: 1, status 1). | |
Dec 23 13:00:55 | Non-Meraki / Client VPN negotiation | msg: failed to get valid proposal. | |
Dec 23 13:00:55 | Non-Meraki / Client VPN negotiation | msg: no suitable proposal found. |
You say that nothing has changed but thats not true. You changed ISPs 😉. That means you changed IP addresses on the home end. Did you change the specified public IP in the tunnel configuration on the office end (do you even have a static IP address in the home network)?
This is what the docs say about this situation:
Event Log: "phase1 negotiation failed due to time up"
Error Description: VPN peer-bound traffic was generated towards a non-Meraki VPN peer for which we did not already have an established tunnel. In attempting to begin the phase 1 negotiation to establish the tunnel, we did not receive a response back from the remote side.
Error Solution: Use some simple tests (ping, for example) to check for packet loss between the two sites. Take a packet capture to verify that ISAKMP traffic is being sent by the local peer. If the ISAKMP traffic is received and the remote side is not replying, verify that the remote side is configured to establish a tunnel with the local peer.
I meant nothing has changed on the office side only change is at home. and i have updated the public ip of the home network on the office MX
The logs are indicating that there is no connectivity between the two MX.
Are you able to ping the office public IP from home?
i go to tools on both MX’s I ping the public IP just fine on both side
So the exact configuration worked at home, before the ISP swap?
To confirm MX65 and 64 are currently in different Orgs?
Might look this over
So the exact configuration worked at home, before the ISP swap? Yes
To confirm MX65 and 64 are currently in different Orgs? yes
i have looked at the troubleshooting docs and nothing there 😞
Both sides are indicating they are not getting traffic from the other.
Lets put aside the most common scenario - the traffic is being filtered.
Another cause of this is when the PSK does not match. I know you said you didn't make any changes in this area, but perhaps wen you were updating the peer IP address the web browser auto-completed the PSK field and changed it.
Can you double check the PSK matches on both ends please.
Also can you double check the peer IP addresses. Perhaps you are wanting to see it be a certain value and that is that you are reading but the actual configured IP is slightly different.
One of the logs seems to indicate no proposals. Check your crypto settings as well, not just PSK as was suggested by other members here.
Crypto settings are identical on both sides