Non-Meraki VPN site-to-site

FedeC
Conversationalist

Non-Meraki VPN site-to-site

Hello everyone,

 

Has anyone come across or knows what the following error message means?

 

Dec 16 16:30:37 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1).
Dec 16 16:30:37 Non-Meraki / Client VPN negotiation msg: failed to get sainfo.
Dec 16 16:30:35 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1).
Dec 16 16:30:35 Non-Meraki / Client VPN negotiation msg: failed to get sainfo.
Dec 16 16:30:22 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 37.186.250.***[4500]->194.79.57.***[4500] spi=314972556(0x12c6198c)
Dec 16 16:30:22 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 194.79.57.***[4500]->37.186.250.***[4500] spi=60809967(0x39fe2ef)


I perform some stabilty issue with a NON-Meraki VPN site-to-site. The other peer are a Cisco ASA, and I have check the vpn parameters to avoid some missconfiguration on ph1 and ph2

I appreciate the communities help,

Federico

 

3 Replies 3
jdsilva
Kind of a big deal
DarrenOC
Kind of a big deal
Kind of a big deal

You found your way back @jdsilva  😁

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
Rogue1
Comes here often

Rogue1_0-1641700962822.png

 

I'm not sure if this is related to what everyone here is looking for answers for, but this was the closest thread I could find. I'm receiving the error above in the snippet. I have been through almost all settings I can examine in the Meraki documentation. My Google-Fu isn't turning up much information on this. 

I can see that Meraki started fully deploying the FIPS requirement within the last year, and I have the forwarding rules setup with the latest BETA firmware running on both MX appliances (Different organizations, but both Meraki MX's. And both currently running 17.3 BETA). 

I cannot seem to locate any settings, so I'm wondering if this is some how related to the site-to-site settings, which both IPSec polices are set to default. I have tried to manipulate these settings a few times, but have had no luck. 

What I can tell you that leads me to my possible suspicion is that the other site I'm trying to connect to is behind a NAT'd router. It displays its public IP in appliance status, but it is behind a Verizon FIOS router/modem. The ONLY log information I can see is that the VPN does connect to the cloud as shown:

Rogue1_1-1641701363513.png

Rogue1_2-1641701440524.png

 

But that is about as far as I've gotten. 

 

Any input is greatly appreciated. 

Thank you! 

#MerakiRules

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels