Non Meraki VPN Peer (Closing Child_SA)

endrianusgohan
Getting noticed

Non Meraki VPN Peer (Closing Child_SA)

Hi, 

 

I've non meraki vpn peers connected to branch non meraki device VPN. 

 

Sometimes I can't ping remote IP. When I checked the logs it said : 

msg: <remote-peer-2|190> closing CHILD_SA net-2-1{1973} with SPIs ccf831e8(inbound) (312 bytes) 49631dcf(outbound) (0 bytes) and TS ip_local === ip_remote

 

ip_local = my corporate ip subnet, eg. 10.10.2.0/23

ip_remote = my branch subnet, e.g. 10.10.16.0/20

 

As the result, I can't ping to any ip subnet under 10.10.16.0/20. 

 

What happened ? Is this because my router is behind the NAT or it had to do with the internet connection ?

7 REPLIES 7
PhilipDAth
Kind of a big deal
Kind of a big deal

"closing CHILD_SA" means the VPN is being terminated.  You would need to look above that for a possible reason.

Miguel_Elizarra
Conversationalist

Hello.
I have the same problem. check the logs and the following is displayed:

 

2 de mayo 22:59:51 Negociación VPN no Meraki/clientemsg: <remote-peer-2|224> cerrando CHILD_SA net-2-2{766} con SPI cca577a3 (entrante) (0 bytes) f114c4b8 (saliente) (0 bytes) y TS 10.1.44.0/24 === 10.99 .24.0/25
2 de mayo 22:58:23 Negociación VPN no Meraki/clientemsg: <remote-peer-2|224> cerrando CHILD_SA net-2-3{765} con SPI c7cfc2c2(entrante) (709463 bytes) f114c3ff(saliente) (648993 bytes) y TS 10.3.44.0/24 === 10.99 .24.0/25

 

There are 2 WANs. when it goes down I have to turn VPN mode off and on.
I need to know how to solve this problem.

The firewall at the other end is a Fortinet.

Greetings.

JBelinha
Conversationalist

Hello,

 

Did anyone know why this is happening? I'm also having the same problem.

 

Greetings.

 

Miguel_Elizarra
Conversationalist

Hi JBelinha.

the problem was that the segments that we were passing through the VPN tunnel were not the same.
here the detail is that on both sides there have to be exactly the same segments that are allowed to pass.
For example, if on one side of the tunnel you are passing segments 10.0.0.0/24, 172.16.0.0/24 and 192.168.10.0/24 on the other side, the same segments must be configured.
The failure originates from the segments of both sites not coinciding in the renegotiation process.
Sorry for the redundancy but that was the solution.
check the segments of both firewalls.
I hope this solution helps you.
Greetings.

Hi

 

I have this same problem. If you mean subnets when you say segments, they are matching on both sides. Do you have any other insight on what can fix it?

Esh
Conversationalist

For anyone else that might have the same issue and has stumbled across this thread, the solution that worked for me is:

 

On the remote Fortigate side, change NAT Traversal to Forced. I previously had it on enabled. After changing it to forced, my tunnel stabilised and didnt go down.

MerakiQ
Comes here often

Hi All,

 

I apologize for reactivating this post. But I´m a new Meraki Administrator and have a question about the VPN communication. I have seen in der Event-Logs a messeage from one of our Non-Meraki VPN peers which comes at regular intervals (Hours).

 

<remote-peer|90177> outbound CHILD_SA net-2{348983} established with SPIs c0c924d5(inbound) 2114628e(outbound) and TS 192.x.x.x/26 === 10.x.x.x/26

<remote-peer|901077> closing CHILD_SA net-2{299459} with SPIs cfd96095(inbound) (69974830 bytes) 3fb36fd2(outbound) (19044256 bytes) and TS TS 192.x.x.x/26 === 10.x.x.x/26

<remote-peer|90177> inbound CHILD_SA net-2{348983} established with SPIs c0c924d5(inbound) 2114628e(outbound) and TS TS 192.x.x.x/26 === 10.x.x.x/26

Is it correct that the connection is automatically re-established every hour?
Closing seams to me, the session is damaged?

Greetings.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels