Meraki

Community

Non-Meraki VPN - IKEv2 issues (?)

RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 21 2024 8:45 AM
‎Aug 21 2024 8:45 AM

Non-Meraki VPN - IKEv2 issues (?)

Hi ,

 

I would like to start off by stating that I'm a complete noob when it comes to VPN , IPSEC , SA , IKEv2 and all that stuff.

 

 

We have a simple setup. One MX peering to a Palo Alto. 

 

RaphaelL_0-1724254869318.png

 

Phase 1 works fine and Phase 2 works fine.... most of the time. 

 

As you can see ( even if it's blured ) there are like 10 subnets configured. 

 

When we establish the tunnel , ALL 10 subnets are working fine. After couple hours ( something like 6-24 hours ). Some of the subnets stop working. 

 

I can see the log on the MX that : msg: <remote-peer-2|13> closing CHILD_SA net-2{42} with SPIs cccdb01e(inbound) (54640 bytes) 9812d7e5(outbound) (144750 bytes) and TS XXXXXXXX/28 === XX.XX.15.0/24

 

However when ever I try to bring the SA up by sending traffic to .15.0/24 it doesn't. Either I have to bring to whole tunnel down and up OR I can bring it up by sending traffic from the Palo-Alto side. 

 

I have confirmed that the timers of Phase 1 and 2 are matching on both sides ( 28800s and 3600s )

 

I'm running MX18.211.3 and I have a case open.

 

I have read the multiple posts here and many of the documentation pages but I couldn't find anything except : https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NOTE_For_IKEv2

 

 

Any troubleshooting ideas ?

 


Cheers , 

Labels:
7 Replies 7
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 21 2024 10:09 AM
‎Aug 21 2024 10:09 AM

The Link you posted and here with some more details:

https://documentation.meraki.com/MX/Site-to-site_VPN/IKEv1_and_IKEv2_for_non-Meraki_VPN_Peers_Compar...

 

The IKEv2 implementation of the MX is different to approx. 90% of commercial firewalls out there.  It's a shame that the MX team doesn't care. Or they care in a way that they hope customers move the peer to AutoVPN. Sadly, for me, some customers moved entirely away from the Meraki Fullstack because of MX limitations.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 21 2024 10:13 AM
‎Aug 21 2024 10:13 AM

That's sad. I just hope that Support is going to tell me right away that this is not working instead of me wasting hours trying to tshoot that. 

 

I didn't design that. Our Extranet is built with Palo Alto and I can't easily put a MX HUB. That would solve all my issues in an instant , but not possible atm.

0 Kudos
AgungTP
Here to help
‎Sep 23 2024 8:07 PM
‎Sep 23 2024 8:07 PM

hmm, I'm having the same issue here.. I need to reset the tunnel from the other side (the initiator) to make it works, re-enable the VPN tunnel or restart MX didn't help at all

0 Kudos
CJHarms
Here to help
‎Sep 30 2024 6:45 AM
‎Sep 30 2024 6:45 AM

We seem to have exactly the same Problem. I also have a Case open (12167713) but no Fix/Workaround so far.

 

We remove and re-add the Network Tag on the affected Site-to-Site VPN Peer to get it going again for 24-48hrs.

0 Kudos
In response to CJHarms
AgungTP
Here to help
‎Oct 14 2024 2:25 AM
‎Oct 14 2024 2:25 AM

well, I have decided to use IKEv1 instead of IKEv2, I have no choice currently, its running stable so far (at least for the last 2 weeks)

0 Kudos
In response to AgungTP
CJHarms
Here to help
‎Oct 14 2024 2:29 AM
‎Oct 14 2024 2:29 AM

We might also need to go back to IKEv1. In the new MX19.x Firmware i can see a lot of Bugfixes regarding Third Party VPNs - I hope the Fixes get backported to the MX18.x Firmware so I can try if a new 18.x Firmware fixes the IKEv2 Problems.

0 Kudos
wes808
New here
3 weeks ago
3 weeks ago

What utter garbage.  Years and Meraki still can't get this right.  And we don't even have an actual non-meraki peer on the other end of our tunnels anymore - it's all meraki!  Simply merakis from different orgs.  And still their ikev2 implementation is trash that dies constantly.  Pretty pathetic.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.