Meraki

Community

Non-Meraki VPN to Cisco ASA, seems like canonly have one Child SA

commsrbrad
Comes here often
‎Mar 2 2020 11:40 PM
‎Mar 2 2020 11:40 PM

Non-Meraki VPN to Cisco ASA, seems like canonly have one Child SA

We have configured a VPN tunnel from a Meraki MX67 to a Cisco ASA, Normally when we have Ipsec tunnels to our ASAs we have multiple Child SAs from our Cisco Routers, but when we swapped over to the MX67 it seems like we can have only one active Child SA,

is this correct, if not how can I configure?

0 Kudos
10 Replies 10
BrechtSchamp
Kind of a big deal
‎Mar 3 2020 1:14 AM
‎Mar 3 2020 1:14 AM

It should be creating separate phase 2 entries per subnet.

 

"Note that two phase 2 events are shown, this is because a separate SA is used for each subnet configured to traverse the VPN."

 

Source:

https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Networking_Fundam...

0 Kudos
In response to BrechtSchamp
commsrbrad
Comes here often
‎Mar 3 2020 1:47 AM
‎Mar 3 2020 1:47 AM

That is not the problem,

the problem is we have 2 Vlans(subnets) that need to communicate across the VPN,

192.168.100.0/24 and 10.37.0.0/16, but only one will form an IPsec tunnel at a time.

by default it seems that 192.168.100.0/24 is active, the only way to get 10.37.0.0/16 active is to disable 192.168.100.0/24 on the VPN, then 10.37.0.0/16 will become active

0 Kudos
In response to commsrbrad
BrechtSchamp
Kind of a big deal
‎Mar 3 2020 2:24 AM
‎Mar 3 2020 2:24 AM

Maybe I'm not understanding the question correctly.

 

The tunnel to your ASA should have a single IKE phase (phase 1), and two IPsec phases (phase 2) if you specified the two subnets. Something like this:

image.png

If the ASA is configured correctly, then the two phase 2 SA's should both get established simultaneously.

In response to BrechtSchamp
commsrbrad
Comes here often
‎Mar 3 2020 3:59 AM
‎Mar 3 2020 3:59 AM

agree that is what should happen, but is not, we only get one Child SA,

I am new to Meraki, is there anything like debug I can use to see what is happening

0 Kudos
In response to commsrbrad
BrechtSchamp
Kind of a big deal
‎Mar 3 2020 4:10 AM
‎Mar 3 2020 4:10 AM

Could you share your ASA config? I'm not an expert myself, but someone else will definitely be able to help.

0 Kudos
In response to BrechtSchamp
commsrbrad
Comes here often
‎Mar 3 2020 4:30 PM
‎Mar 3 2020 4:30 PM

we have a case with open with Meraki support, ww will see what happens

0 Kudos
In response to commsrbrad
fishtaco02
Just browsing
‎Jul 17 2020 8:08 AM
‎Jul 17 2020 8:08 AM

Did they ever get this figured out? I'm having the same issue. Tunnel worked on IKEv1; switched to IKEv2 and now only 1 SA will come up

0 Kudos
In response to fishtaco02
commsrbrad
Comes here often
‎Jul 17 2020 3:13 PM
‎Jul 17 2020 3:13 PM

No never did, had to leave running on Ikev1,

this was Meraki TAC response

 

The reason the other subnet tunnels are not established because of the way Child SA negotiation is configured in MX. Meraki uses Traffic Selector Narrowing implementation in IKEv2, as defined under RFC 7296 Section 2.9. Because of this the MX will not re-negotiate the SA if the peer sends a proposal with an additional traffic selector that would fall under that existing SA, and this is an expected behaviour.

0 Kudos
In response to commsrbrad
fishtaco02
Just browsing
‎Jul 17 2020 3:25 PM
‎Jul 17 2020 3:25 PM

Figured out a work around, had to make vendor make a new ACL/peer for each additional subnet. After doing that, we brought up 4 SAs. I've seen this with other vendors, issues with proxy-ids; but never seen it on a meraki before. 

0 Kudos
In response to fishtaco02
Confused
Just browsing
‎Aug 20 2020 1:14 PM
‎Aug 20 2020 1:14 PM

Hi Fishtaco02,

can you please tell/show me how to configure the new ACL/peer for each additional subnet on the Meraki MX100?  I am having same issue, my ASA only see 1 Child SA.

Thanks,

C

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.