Non-Meraki VPN to Cisco ASA, seems like canonly have one Child SA

commsrbrad
Comes here often

Non-Meraki VPN to Cisco ASA, seems like canonly have one Child SA

We have configured a VPN tunnel from a Meraki MX67 to a Cisco ASA, Normally when we have Ipsec tunnels to our ASAs we have multiple Child SAs from our Cisco Routers, but when we swapped over to the MX67 it seems like we can have only one active Child SA,

is this correct, if not how can I configure?

10 REPLIES 10
BrechtSchamp
Kind of a big deal

It should be creating separate phase 2 entries per subnet.

 

"Note that two phase 2 events are shown, this is because a separate SA is used for each subnet configured to traverse the VPN."

 

Source:

https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Networking_Fundam...

That is not the problem,

the problem is we have 2 Vlans(subnets) that need to communicate across the VPN,

192.168.100.0/24 and 10.37.0.0/16, but only one will form an IPsec tunnel at a time.

by default it seems that 192.168.100.0/24 is active, the only way to get 10.37.0.0/16 active is to disable 192.168.100.0/24 on the VPN, then 10.37.0.0/16 will become active

Maybe I'm not understanding the question correctly.

 

The tunnel to your ASA should have a single IKE phase (phase 1), and two IPsec phases (phase 2) if you specified the two subnets. Something like this:

image.png

If the ASA is configured correctly, then the two phase 2 SA's should both get established simultaneously.

agree that is what should happen, but is not, we only get one Child SA,

I am new to Meraki, is there anything like debug I can use to see what is happening

Could you share your ASA config? I'm not an expert myself, but someone else will definitely be able to help.

we have a case with open with Meraki support, ww will see what happens

Did they ever get this figured out? I'm having the same issue. Tunnel worked on IKEv1; switched to IKEv2 and now only 1 SA will come up

No never did, had to leave running on Ikev1,

this was Meraki TAC response

 

The reason the other subnet tunnels are not established because of the way Child SA negotiation is configured in MX. Meraki uses Traffic Selector Narrowing implementation in IKEv2, as defined under RFC 7296 Section 2.9. Because of this the MX will not re-negotiate the SA if the peer sends a proposal with an additional traffic selector that would fall under that existing SA, and this is an expected behaviour.

Figured out a work around, had to make vendor make a new ACL/peer for each additional subnet. After doing that, we brought up 4 SAs. I've seen this with other vendors, issues with proxy-ids; but never seen it on a meraki before. 

Hi Fishtaco02,

can you please tell/show me how to configure the new ACL/peer for each additional subnet on the Meraki MX100?  I am having same issue, my ASA only see 1 Child SA.

Thanks,

C

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels