Our MX100 firmware was upgraded to v15.43 this morning (auto upgrade, not manual). Ever since one of our remote workers with a Ubiquiti EdgeMAX router at home can no longer get the site-to-site VPN tunnel to work. It does not employ DES so that is not the issue. Here are the settings on the Meraki for the connection:
And the Ubiquiti:
This VPN tunnel worked fine prior to the upgrade. So what did the upgrade break and how do I fix it? This remote worker also cannot get the Client VPN to work. If he uses his Verizon hotspot the Client VPN works. If he tries the Client VPN on his home wifi or wired network connections it fails.
I did open a support ticket but thought I might get a quicker response from the Community due to the issues Meraki is experiencing today.
Since that field was empty before, what should I enter there, the remote public IP address, the private IP address of the remote Ubiquiti, or ??
it'll depend on what the other end is/supports. i'd start with trying the public IP of the far end device. or, if that device is behind a nat it might want the private/real IP. it should be whatever the ubquiti considers its local ID.
It's not behind a NAT, it is the router connected to his cable modem. It literally IS the device creating the NAT. As I said, it is a Ubiquiti EdgeMAX router.
So how would one go about trying to find this mysterious "Remote ID"? We have never used anything in the Local ID or Remote ID fields for site-to-site VPN connections to non-Meraki devices.
Here is what I am seeing in the Event Log:
msg: IPsec-SA expired: ESP/Tunnel GLOBAL_HQ_PUBLIC_IP->REMOTE_UBIQUITI_PUBLIC_IP spi=3329526648(0xc6748b78)
msg: IPsec-SA expired: ESP/Tunnel REMOTE_UBIQUITI_PUBLIC_IP->GLOBAL_HQ_PUBLIC_IP spi=52183207(0x31c40a7)
I'm going to go out on a limb and say your issue is probably due to the much greater Meraki Cloud Certificate issue that everyone else is going through today. The issue specifically effects VPN tunnels. I went on to the community to see if there were any updates and came across your post so I figured I weight in.
sounds like a support case will be needed here so they can take a deeper look at it
also, you can rollback to 15.42.1 if the s2s vpn was stable on that release. i would still of course recommend a support case to look into the issue on 15.43.
I don't know how to rollback the firmware. I've had a case open for 6 hours; no response yet.
it's very straightforward
Downgrading the firmware fixed the problem. I'll leave it as is and work with support once they respond to the request.
even meraki peers got bricked by this update.
got a mx100 as host with mx60s as spokes. services on the other mx60s can't access servers hosted on mx100.
rolled back to previous. fixed it like nothing happened.