Non Meraki VPN Peer (Closing Child_SA)

endrianusgohan
Getting noticed

Non Meraki VPN Peer (Closing Child_SA)

Hi, 

 

I've non meraki vpn peers connected to branch non meraki device VPN. 

 

Sometimes I can't ping remote IP. When I checked the logs it said : 

msg: <remote-peer-2|190> closing CHILD_SA net-2-1{1973} with SPIs ccf831e8(inbound) (312 bytes) 49631dcf(outbound) (0 bytes) and TS ip_local === ip_remote

 

ip_local = my corporate ip subnet, eg. 10.10.2.0/23

ip_remote = my branch subnet, e.g. 10.10.16.0/20

 

As the result, I can't ping to any ip subnet under 10.10.16.0/20. 

 

What happened ? Is this because my router is behind the NAT or it had to do with the internet connection ?

2 REPLIES 2
PhilipDAth
Kind of a big deal

"closing CHILD_SA" means the VPN is being terminated.  You would need to look above that for a possible reason.

Miguel_Elizarra
Conversationalist

Hello.
I have the same problem. check the logs and the following is displayed:

 

2 de mayo 22:59:51 Negociación VPN no Meraki/clientemsg: <remote-peer-2|224> cerrando CHILD_SA net-2-2{766} con SPI cca577a3 (entrante) (0 bytes) f114c4b8 (saliente) (0 bytes) y TS 10.1.44.0/24 === 10.99 .24.0/25
2 de mayo 22:58:23 Negociación VPN no Meraki/clientemsg: <remote-peer-2|224> cerrando CHILD_SA net-2-3{765} con SPI c7cfc2c2(entrante) (709463 bytes) f114c3ff(saliente) (648993 bytes) y TS 10.3.44.0/24 === 10.99 .24.0/25

 

There are 2 WANs. when it goes down I have to turn VPN mode off and on.
I need to know how to solve this problem.

The firewall at the other end is a Fortinet.

Greetings.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels