Meraki

Community

One Specific 3rd Party Tunnel Drops

Solved
Nash
Kind of a big deal
‎Jul 17 2019 12:50 PM
‎Jul 17 2019 12:50 PM

One Specific 3rd Party Tunnel Drops

Situation:

Third party site-to-site tunnel drops with no warning every few weeks. The local and remote ends spend a few hours timing out on p1 due to no valid IKEv1 proposals. 4-5 hours later, the problem tunnel is up again and works for several weeks.

 

The other tunnels on this firewall do not drop like this.

 

Devices:

Local end: MX60 running 14.39. Behavior occurred on 13.36 as well. (MyMeraki/aaa.aaa.aaa.aaa below)
Remote end: Some kind of Juniper SRX. (bbb.bbb.bbb.bbb below)

 

Settings:
Phase 1: 3DES - SHA1 - Lifetime 86400
Phase 2: 3DES - SHA1 - Lifetime 28800
IKEv1, main mode, no data-based lifetime.
Subnets match exactly
(I'd like to change to AES but this client can be difficult.)

 

When problem tunnel is down, Meraki MX logs show multiple errors. Most common errors:
1. phase1 negotiation failed due to time up.
2. Ignore the packet, received unexpecting payload type 130.
3. invalid flag 0x08 (Rarely. I suspect SRX is trying IKEv2 when IKEv1 fails.)

 

Juniper SRX is throwing this error as per its maintainer:

Jul 16 22:16:23 REDACTED kmd[2595]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: VPN-MyMeraki Gateway: VPN-MyMeraki, Local: bbb.bbb.bbb.bbb/500, Remote: aaa.aaa.aaa.aaa/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder

 

Question:

Anyone seen this before? Is there something I'm overlooking here? The tunnel re-establishes just fine for at least 2-2.5 weeks, and then it will cut out and throw errors for 4-5 hours. Meanwhile, all the other tunnels on my MX are fine.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
1 Accepted Solution
In response to Nash
Nash
Kind of a big deal
‎Jul 19 2019 8:26 AM
‎Jul 19 2019 8:26 AM

So... This was NAT-T. Had support disable NAT-T for this specific tunnel on my MX and the tunnel immediately came back up.

 

Adding p1 timeouts to my watch list for NAT-T-on-the-MX issues, alongside no proposal chosen.

Windows 10 Client VPN scripts: Makes life better!

View solution in original post

8 Replies 8
SoCalRacer
Kind of a big deal
‎Jul 17 2019 1:00 PM
‎Jul 17 2019 1:00 PM

Is this tunnel the only 3rd party tunnel you have on the MX. If not are there any hardware similarities at the remote locations with the one you have having issues?

 

Do you know what the quality is of the internet connection at the remote site? Do you know the ISP is not to blame?

 

 

In response to SoCalRacer
Nash
Kind of a big deal
‎Jul 17 2019 1:17 PM
‎Jul 17 2019 1:17 PM

There's multiple third party tunnels, including one where I control both ends. Those tunnels stay up when there's active traffic, as I would expect them to.

 

The other end is in an Expedient datacenter, on an Expedient SRX, so I'm assuming it's a good quality connection. Remote end claims they do not have this problem with other tunnels.

 

Forgot to say - I have tried bouncing the tunnel on my end to see if it'll force a re-negotiation and bring the tunnel back up, but it does not help.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 18 2019 1:39 AM
‎Jul 18 2019 1:39 AM

Is either end sitting behind NAT (so the public IP address is not directly on the security device)?

 

Note that the MX has particular poor 3DES throughput.  The AES throughput is good.

In response to PhilipDAth
Nash
Kind of a big deal
‎Jul 18 2019 6:10 AM
‎Jul 18 2019 6:10 AM

My end, no NAT. Their end, won't tell me. I'm stuck playing telephone.

 

3DES isn't my choice, but it is something I'm trying to eradicate from my clients' environments. This might give me an excuse to get my team to change our standard. (I'm working with "but 3des has always been fine.")

 

I'll see if client and I, and client's vendor's firewall vendor, can schedule a time to change to AES 192/256.

 

It sounds like we're both getting p1 timeouts, based off the latest response from vendor's firewall vendor. I'm starting to wonder if there's an intermediate hop that likes to go out for a bit, and something's not recovering quickly between us.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 18 2019 2:39 PM
‎Jul 18 2019 2:39 PM

>It sounds like we're both getting p1 timeouts

 

This is why I asked about NAT.  I wonder if their end is behind NAT.

 

 

Because UDP is connectionless some devices that do NAT don't really handle long lived NAT sessions (like VPNs) very well.

 

 

An extreme option - buy a Z3 and send it to them, and use AutoVPN.  Tell them to treat the Z3 as an ordinary "WAN Router".  They can plug it into a spare interface on their firewall, and then apply whatever firewall rules they like.

In response to PhilipDAth
Nash
Kind of a big deal
‎Jul 18 2019 2:58 PM
‎Jul 18 2019 2:58 PM

Thanks, @PhilipDAth! I've asked the remote end if they're NATting, just to be sure. Even if they are, it's probably not something that can be changed. The vendor rents a chunk of Expedient's cloud, and doesn't have control over the physical hardware at all.

 

Which is unfortunate, but at least I'll have something to tell my client when they ask why this tunnel goes splat.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
Nash
Kind of a big deal
‎Jul 19 2019 8:26 AM
‎Jul 19 2019 8:26 AM

So... This was NAT-T. Had support disable NAT-T for this specific tunnel on my MX and the tunnel immediately came back up.

 

Adding p1 timeouts to my watch list for NAT-T-on-the-MX issues, alongside no proposal chosen.

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 19 2019 5:01 PM
‎Jul 19 2019 5:01 PM

It's pretty bad that the remote end can't handle a NAT-T negotiation.  There really should be no reason to ever disable this option.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.