S2S VPN to non-Meraki router broken after MX100 upgraded to v15.43

threeonesix
Here to help

S2S VPN to non-Meraki router broken after MX100 upgraded to v15.43

Our MX100 firmware was upgraded to v15.43 this morning (auto upgrade, not manual). Ever since one of our remote workers with a Ubiquiti EdgeMAX router at home can no longer get the site-to-site VPN tunnel to work. It does not employ DES so that is not the issue. Here are the settings on the Meraki for the connection:

 

meraki.png

 

And the Ubiquiti:

 

ubiquiti.png

 

This VPN tunnel worked fine prior to the upgrade. So what did the upgrade break and how do I fix it? This remote worker also cannot get the Client VPN to work. If he uses his Verizon hotspot the Client VPN works. If he tries the Client VPN on his home wifi or wired network connections it fails.

 

I did open a support ticket but thought I might get a quicker response from the Community due to the issues Meraki is experiencing today.

 

Thank you.

 

13 REPLIES 13
Ryan_Miles
Meraki Employee
Meraki Employee

in 15.43 firmware the MX appliances will now strictly validate the remote ID parameter during VPN tunnel formation. can you make sure this matches on both sides?

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_peers

Since that field was empty before, what should I enter there, the remote public IP address, the private IP address of the remote Ubiquiti, or ??

it'll depend on what the other end is/supports. i'd start with trying the public IP of the far end device. or, if that device is behind a nat it might want the private/real IP. it should be whatever the ubquiti considers its local ID.

It's not behind a NAT, it is the router connected to his cable modem. It literally IS the device creating the NAT. As I said, it is a Ubiquiti EdgeMAX router.

 

So how would one go about trying to find this mysterious "Remote ID"? We have never used anything in the Local ID or Remote ID fields for site-to-site VPN connections to non-Meraki devices.

 

Here is what I am seeing in the Event Log:

 

msg: IPsec-SA expired: ESP/Tunnel GLOBAL_HQ_PUBLIC_IP[4500]->REMOTE_UBIQUITI_PUBLIC_IP[4500] spi=3329526648(0xc6748b78)

msg: IPsec-SA expired: ESP/Tunnel REMOTE_UBIQUITI_PUBLIC_IP[4500]->GLOBAL_HQ_PUBLIC_IP[4500] spi=52183207(0x31c40a7)

i'd start by entering the public IP of Ubiquiti

Did not work. Private IP of router did not work. Nothing I have tried works.

I'm going to go out on a limb and say your issue is probably due to the much greater Meraki Cloud Certificate issue that everyone else is going through today. The issue specifically effects VPN tunnels. I went on to the community to see if there were any updates and came across your post so I figured I weight in.

sounds like a support case will be needed here so they can take a deeper look at it

also, you can rollback to 15.42.1 if the s2s vpn was stable on that release. i would still of course recommend a support case to look into the issue on 15.43.

I don't know how to rollback the firmware. I've had a case open for 6 hours; no response yet.

Downgrading the firmware fixed the problem. I'll leave it as is and work with support once they respond to the request.

P4ck3ts
Here to help

even meraki peers got bricked by this update. 

 

got a mx100 as host with mx60s as spokes. services on the other mx60s can't access servers hosted on mx100. 

 

rolled back to previous. fixed it like nothing happened.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels