Hi Guys,
We run a private cloud where our core networking is Juniper based. A lot of our clients have Meraki devices as their routers within their offices. We run IPSEC vpn tunnels to deliver printers to their virtual desktops.
A few months ago all of our Meraki end points started to stop passing traffic over the tunnel at random times.
They sometimes work for days and then fall over. We currently have our service desk monitoring the printers across
the VPN and when ping fails, we manually clear the tunnel on the Juniper and everything starts working straight way.
I've tried calling support from Juniper and Meraki and I'm getting nowhere. Juniper have a least tried to help debug but their not getting much information and mentioned DPD of which there is nothing you we change on the Meraki.
I was seeing some NAT payload errors so I tried to disable NAT-T on the Juniper even though this VPN is not NATed. I have tried disabling anti-replay protection on the Juniper as someone mention that in the forums.
I thought I made some progress after these changes but it went down again after about 5 days.
The Meraki logged this is the event log around that time.
Oct 11 04:30:08
Non-Meraki / Client VPN negotiation
msg: packet shorter than isakmp header size (0, 84, 28)
Oct 11 04:28:27
Non-Meraki / Client VPN negotiation
msg: packet shorter than isakmp header size (0, 0, 28)
msg: the length in the isakmp header is too big.
When ever I speak with Meraki support they say there is mismatch in Phase 1 but that's not the case.
Is there a beta firmware we could try or escalate to somebody more helpful than we've had so far?
Thanks,
Matt
Hey Matt,
This looks one of those tricky VPN ones.
Not sure what you mean with the VPN is not NATed (if you have a network diagram of the devices involved with mock IP addresses it would be awesome), but it may be sensible to disable NAT-T on both ends of the tunnel (i.e. on the Meraki MX as well).
Just to confirm, does the tunnel drop completely or does it stay up and drop traffic?
If it is the latter, you could try release 15.X, but you'll need to ask the support engineer working on your case to set this for you.
Alternatively, you could try to get both us and Juniper on the same call, so we can try and debug what's going wrong.
Thanks!
Giacomo
Hi Giacomo,
Thanks for your reply.
Can support disable NAT-T for us on the Meraki, as it's currently set to automatic but disabled on the Juniper.
The tunnel stays up and drops all traffic. We can bring it back up straight away by clearing the tunnel on the Juniper.
These VPN's were completely stable for nearly two years. I've got a feeling that it's got something to do with anti-replay.
Does the 15.X firmware address this?
Thanks,
Matt
I have been struggling with a similar case for 1 year, Meraki Support doesn't even respond anymore 🙂
running Cisco ASA 9.1 and 9.4 without success, MX failing from 12.x running latest 14.30 now as suggested by them with the same result. Configs on both sides were checked by a ASA and Meraki Engineer, all good but it keeps randomly failing, only solution is resetting tunnel manually from the ASA, running a script now to solve that...
good luck!
Try the newest 15 series beta, seems to nearly resolve this. I say nearly as the stop passing traffic problem still happens, but instead of days or hours, its not weeks or months. The 15 series if you read the changelog is a complete redo of third party VPN technology.
In the 15 series of firmware, I guess there is IKE2 support, but it needs to be enabled from the backend by Meraki support at this time. We have not tried this yet, but I feel it may permanently solve it.