Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Non-Meraki VPN - IKEv2 issues (?)

RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 21 2024 8:45 AM
‎Aug 21 2024 8:45 AM

Non-Meraki VPN - IKEv2 issues (?)

Hi ,

 

I would like to start off by stating that I'm a complete noob when it comes to VPN , IPSEC , SA , IKEv2 and all that stuff.

 

 

We have a simple setup. One MX peering to a Palo Alto. 

 

RaphaelL_0-1724254869318.png

 

Phase 1 works fine and Phase 2 works fine.... most of the time. 

 

As you can see ( even if it's blured ) there are like 10 subnets configured. 

 

When we establish the tunnel , ALL 10 subnets are working fine. After couple hours ( something like 6-24 hours ). Some of the subnets stop working. 

 

I can see the log on the MX that : msg: <remote-peer-2|13> closing CHILD_SA net-2{42} with SPIs cccdb01e(inbound) (54640 bytes) 9812d7e5(outbound) (144750 bytes) and TS XXXXXXXX/28 === XX.XX.15.0/24

 

However when ever I try to bring the SA up by sending traffic to .15.0/24 it doesn't. Either I have to bring to whole tunnel down and up OR I can bring it up by sending traffic from the Palo-Alto side. 

 

I have confirmed that the timers of Phase 1 and 2 are matching on both sides ( 28800s and 3600s )

 

I'm running MX18.211.3 and I have a case open.

 

I have read the multiple posts here and many of the documentation pages but I couldn't find anything except : https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NOTE_For_IKEv2

 

 

Any troubleshooting ideas ?

 


Cheers , 

Labels:
Subscribe
6 Replies 6
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 21 2024 10:09 AM
‎Aug 21 2024 10:09 AM

The Link you posted and here with some more details:

https://documentation.meraki.com/MX/Site-to-site_VPN/IKEv1_and_IKEv2_for_non-Meraki_VPN_Peers_Compar...

 

The IKEv2 implementation of the MX is different to approx. 90% of commercial firewalls out there.  It's a shame that the MX team doesn't care. Or they care in a way that they hope customers move the peer to AutoVPN. Sadly, for me, some customers moved entirely away from the Meraki Fullstack because of MX limitations.

Subscribe
In response to KarstenI
RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 21 2024 10:13 AM
‎Aug 21 2024 10:13 AM

That's sad. I just hope that Support is going to tell me right away that this is not working instead of me wasting hours trying to tshoot that. 

 

I didn't design that. Our Extranet is built with Palo Alto and I can't easily put a MX HUB. That would solve all my issues in an instant , but not possible atm.

0 Kudos
Subscribe
AgungTP
Here to help
3 weeks ago
3 weeks ago

hmm, I'm having the same issue here.. I need to reset the tunnel from the other side (the initiator) to make it works, re-enable the VPN tunnel or restart MX didn't help at all

0 Kudos
Subscribe
CJHarms
Here to help
3 weeks ago
3 weeks ago

We seem to have exactly the same Problem. I also have a Case open (12167713) but no Fix/Workaround so far.

 

We remove and re-add the Network Tag on the affected Site-to-Site VPN Peer to get it going again for 24-48hrs.

0 Kudos
Subscribe
In response to CJHarms
AgungTP
Here to help
Monday
Monday

well, I have decided to use IKEv1 instead of IKEv2, I have no choice currently, its running stable so far (at least for the last 2 weeks)

0 Kudos
Subscribe
In response to AgungTP
CJHarms
Here to help
Monday
Monday

We might also need to go back to IKEv1. In the new MX19.x Firmware i can see a lot of Bugfixes regarding Third Party VPNs - I hope the Fixes get backported to the MX18.x Firmware so I can try if a new 18.x Firmware fixes the IKEv2 Problems.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.