Meraki

Community

Site-to-Site IPsec VPN issue with Primary/Secondary tunnels – traffic selectors changing to 0.0.0.0/

JinSoo_Park
Comes here often
an hour ago
an hour ago

Site-to-Site IPsec VPN issue with Primary/Secondary tunnels – traffic selectors changing to 0.0.0.0/

Hello,

I’m experiencing an issue with Site-to-Site IPsec VPN (Non-Meraki VPN) using Primary and Secondary tunnels.

Environment

  • Cisco Meraki MX95
  • IPsec VPN to AWS Transit Gateway
  • IKEv2
  • Static routing (no BGP)
  • Two IPsec peers configured:
    • Primary tunnel
    • Secondary tunnel
  • Both tunnels show green (up) in VPN Status

VPN Configuration

  • Local subnets (Meraki side):
    10.184.x.x (multiple internal subnets)
  • Remote subnets (AWS side):
    10.100.0.0/16, 10.130.0.0/16, 10.192.0.0/16
  • IPsec policy preset: AWS
  • Phase 1 / Phase 2 settings match AWS requirements
  • Health Check configured (tested with):
  • Health check source IP 192.0.2.3/32 is allowed and routed on AWS side

Issue Description

  • When Primary and Secondary tunnels are both enabled with Health Check:
    • VPN Status shows both tunnels UP (green)
    • However, traffic does not pass
    • Event log shows Traffic Selectors changing from expected subnets to:
    • TS 0.0.0.0/0 === 0.0.0.0/0
    • At this point, communication over the tunnel completely fails
    • When only the primary IPsec tunnel is in use, the event log shows traffic selectors such as
      TS 10.184.x.x/x === 10.100.0.0/16, 10.130.0.0/16, 10.192.0.0/16,
      and communication works correctly without any issues.
  • If I remove the Health Check:
    • One tunnel becomes inactive (expected behavior)
    • The remaining tunnel works correctly
    • Traffic Selectors return to normal subnet-based values
    • VPN traffic works as expected

Additional Notes

  • Disabling “Failover directly to internet” does not resolve the issue
  • The problem occurs regardless of which endpoint is used for Health Check
  • AWS routing includes 192.0.2.3/32 pointing back to the VPN attachment
  • This issue only occurs when trying to keep both tunnels active simultaneously

Questions

  1. Is it expected behavior for Traffic Selectors to change to 0.0.0.0/0 when health checks fail?
  2. Are there known limitations or requirements for Health Checks with AWS TGW + Meraki IPsec?
  3. Is there a recommended Health Check endpoint when using AWS Transit Gateway?
  4. Are there any additional settings required to keep both Primary and Secondary tunnels active simultaneously without breaking traffic selectors?

Any guidance or similar experiences would be greatly appreciated.

Thank you!

Labels:
0 Kudos
0 Replies 0
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.