Non Meraki site-to-site VPN stop passing traffic

Zeara
Comes here often

Non Meraki site-to-site VPN stop passing traffic

Hi Guys, 

 

We run a private cloud where our core networking is Juniper based. A lot of our clients have Meraki devices as their routers within their offices. We run IPSEC vpn tunnels to deliver printers to their virtual desktops. 

 

A few months ago all of our Meraki end points started to stop passing traffic over the tunnel at random times. 

 

They sometimes work for days and then fall over. We currently have our service desk monitoring the printers across 

the VPN and when ping fails, we manually clear the tunnel on the Juniper and everything starts working straight way. 

 

I've tried calling support from Juniper and Meraki and I'm getting nowhere. Juniper have a least tried to help debug but their not getting much information and mentioned DPD of which there is nothing you we change on the Meraki. 

 

I was seeing some NAT payload errors so I tried to disable NAT-T on the Juniper even though this VPN is not NATed. I have tried disabling anti-replay protection on the Juniper as someone mention that in the forums. 

 

I thought I made some progress after these changes but it went down again after about 5 days. 

 

The Meraki logged this is the event log around that time. 

 

Oct 11 04:30:08

 

Non-Meraki / Client VPN negotiation

msg: packet shorter than isakmp header size (0, 84, 28)

Oct 11 04:28:27

 

Non-Meraki / Client VPN negotiation

msg: packet shorter than isakmp header size (0, 0, 28)

 

msg: the length in the isakmp header is too big.

 

When ever I speak with Meraki support they say there is mismatch in Phase 1 but that's not the case. 

 

Is there a beta firmware we could try or escalate to somebody more helpful than we've had so far?

 

Thanks,

 

Matt

 

 

4 REPLIES 4
GiacomoS
Meraki Employee
Meraki Employee

Hey Matt,

 

This looks one of those tricky VPN ones. 

 

Not sure what you mean with the VPN is not NATed (if you have a network diagram of the devices involved with mock IP addresses it would be awesome), but it may be sensible to disable NAT-T on both ends of the tunnel (i.e. on the Meraki MX as well). 

 

Just to confirm, does the tunnel drop completely or does it stay up and drop traffic?

 

If it is the latter, you could try release 15.X, but you'll need to ask the support engineer working on your case to set this for you.

 

Alternatively, you could try to get both us and Juniper on the same call, so we can try and debug what's going wrong.

 

Thanks!

 

Giacomo 

Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see!
Appreciate who helps and be respectful of every opinion and every solution offered.
Share the love, especially the Meraki one!
Zeara
Comes here often

Hi Giacomo,

 

Thanks for your reply. 

 

Can support disable NAT-T for us on the Meraki, as it's currently set to automatic but disabled on the Juniper.

 

The tunnel stays up and drops all traffic. We can bring it back up straight away by clearing the tunnel on the Juniper. 

 

These VPN's were completely stable for nearly two years. I've got a feeling that it's got something to do with anti-replay.

 

Does the 15.X firmware address this?

 

Thanks,

 

Matt

 

 

 

 

 

akan33
Building a reputation

I have been struggling with a similar case for 1 year, Meraki Support doesn't even respond anymore 🙂 

 

https://community.meraki.com/t5/Security-SD-WAN/VPN-stops-passing-traffic-between-Meraki-Security-Ap...

 

running Cisco ASA 9.1 and 9.4 without success, MX failing from 12.x running latest 14.30 now as suggested by them with the same result. Configs on both sides were checked by a ASA and Meraki Engineer, all good but it keeps randomly failing, only solution is resetting tunnel manually from the ASA, running a script now to solve that...

 

good luck!

Try the newest 15 series beta, seems to nearly resolve this. I say nearly as the stop passing traffic problem still happens, but instead of days or hours, its not weeks or months. The 15 series if you read the changelog is a complete redo of third party VPN technology.

 

In the 15 series of firmware, I guess there is IKE2 support, but it needs to be enabled from the backend by Meraki support at this time. We have not tried this yet, but I feel it may permanently solve it.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels