Non Meraki Peer Site to Site VPN

route_map
Building a reputation

Non Meraki Peer Site to Site VPN

Hi

 

I have a MX65 at the office and a MX64 at home, site-to-site vpn used to work. in different organizations

I recently changed my ISP and dont have access to their "home wifi" router so i plug direcly to the MX64 from the Fibre box, i setup the pppoe and everthing is fine and i can get to the internet with no issues.

 

but when i want to setup s2s vpn it doesnt work, event log below

 

Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. 33739c79299d2b0b:978e8ab8006fc8f0
Dec 23 11:40:59 Non-Meraki / Client VPN negotiationmsg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500]
Dec 23 11:40:55 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. 5573bbe361
Dec 23 11:40:05 Non-Meraki / Client VPN negotiationmsg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500]
Dec 23 11:40:01 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. 2194da0f05a
Dec 23 11:39:11 Non-Meraki / Client VPN negotiationmsg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500]
Dec 23 11:39:08 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. 9f489072a1d2
Dec 23 11:38:17 Non-Meraki / Client VPN negotiationmsg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500]
Dec 23 11:38:13 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. f562d56a8af
Dec 23 11:37:23 Non-Meraki / Client VPN negotiationmsg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500]
Dec 23 11:37:19 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. 89841dc7d01b
Dec 23 11:36:29 Non-Meraki / Client VPN negotiationmsg: initiate new phase 1 negotiation: 102.*.*.107[500]<=>196.*.*.242[500]
12 Replies 12
BrechtSchamp
Kind of a big deal

These logs seem to be from the initiating side. I assume that these are the logs of your MX? We now need to see what the responding side sees and does in turn. What do the logs on the other side show?

 

Does your MX get a public IP over the PPPoE connection?

 

Any chance the new provider is blocking port UDP 500 or 4500 outgoing in their firewall?

 

On the other end, what is the setup: is the MX in your office behind a firewall/NAT? Any chance UDP 500 & 4500 are blocked here (or maybe restricted to certain public IP addresses/ranges)? 

route_map
Building a reputation

the below are from the work MX, not blocking UDP 500 or 4500 as this used to work and nothing has changed this side

 

Dec 23 13:03:50 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. a9facc1aed498e23:41588bf9c5010c8e
Dec 23 13:03:00 Non-Meraki / Client VPN negotiationmsg: initiate new phase 1 negotiation: 196.*.*.242[500]<=>102.*.*.107[500]

 

the below is from the home mx, i get the public IP over PPPoE connection

 

Dec 23 13:03:49 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. a9facc1aed498e23:41588bf9c5010c8e
Dec 23 13:02:59 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. 4b91c4ff5ee2ab8c:0ec81cd8388673d4
Dec 23 13:02:04 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed due to time up. 54e925e7dae2611b:3f1973c0fb40bdb8
Dec 23 13:00:55 Non-Meraki / Client VPN negotiationmsg: phase1 negotiation failed.
Dec 23 13:00:55 Non-Meraki / Client VPN negotiationmsg: failed to pre-process ph1 packet (side: 1, status 1).
Dec 23 13:00:55 Non-Meraki / Client VPN negotiationmsg: failed to get valid proposal.
Dec 23 13:00:55 Non-Meraki / Client VPN negotiationmsg: no suitable proposal found.
BrechtSchamp
Kind of a big deal

You say that nothing has changed but thats not true. You changed ISPs 😉. That means you changed IP addresses on the home end. Did you change the specified public IP in the tunnel configuration on the office end (do you even have a static IP address in the home network)?

 

This is what the docs say about this situation:


Event Log: "phase1 negotiation failed due to time up"

Error Description: VPN peer-bound traffic was generated towards a non-Meraki VPN peer for which we did not already have an established tunnel. In attempting to begin the phase 1 negotiation to establish the tunnel, we did not receive a response back from the remote side.

Error Solution: Use some simple tests (ping, for example) to check for packet loss between the two sites. Take a packet capture to verify that ISAKMP traffic is being sent by the local peer. If the ISAKMP traffic is received and the remote side is not replying, verify that the remote side is configured to establish a tunnel with the local peer.

 


  • Have you tried a packet capture on both ends to see what comes in on both ends?
  • Is the office MX behind a firewall?
  • The new home provider could be blocking UDP 500 & 4500 connections.
route_map
Building a reputation

I meant nothing has changed on the office side only change is at home. and i have updated the public ip of the home network on the office MX

 

  • Have you tried a packet capture on both ends to see what comes in on both ends? no, i will try this and see
  • Is the office MX behind a firewall? no, as mentioned before nothing has changed this side
  • The new home provider could be blocking UDP 500 & 4500 connections. they just came back to me they are not blocking any ports
PhilipDAth
Kind of a big deal
Kind of a big deal

The logs are indicating that there is no connectivity between the two MX.

 

Are you able to ping the office public IP from home?

route_map
Building a reputation

i go to tools on both MX’s I ping the public IP just fine on both side 

SoCalRacer
Kind of a big deal

So the exact configuration worked at home, before the ISP swap?

 

To confirm MX65 and 64 are currently in different Orgs?

 

Might look this over

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Pee...

route_map
Building a reputation

So the exact configuration worked at home, before the ISP swap? Yes

 

To confirm MX65 and 64 are currently in different Orgs? yes

 

i have looked at the troubleshooting docs and nothing there 😞

PhilipDAth
Kind of a big deal
Kind of a big deal

Both sides are indicating they are not getting traffic from the other.

Lets put aside the most common scenario - the traffic is being filtered.

 

Another cause of this is when the PSK does not match.  I know you said you didn't make any changes in this area, but perhaps wen you were updating the peer IP address the web browser auto-completed the PSK field and changed it.

Can you double check the PSK matches on both ends please.

 

Also can you double check the peer IP addresses.  Perhaps you are wanting to see it be a certain value and that is that you are reading but the actual configured IP is slightly different.

EugeneL
Conversationalist

One of the logs seems to indicate no proposals. Check your crypto settings as well, not just PSK as was suggested by other members here.

route_map
Building a reputation

Crypto settings are identical on both sides 

route_map
Building a reputation

just an update, I havent changed anything since we last conversated.
The s2s vpn established randomly for a few hours and then drops again, I have no clue what is happening at the moment
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels