Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to Site VPN - All Green on both side except peer connection status

luckyphill
New here
‎Aug 2 2022 7:02 AM
‎Aug 2 2022 7:02 AM

Site to Site VPN - All Green on both side except peer connection status

So I'm adding a third VPN Site spoke site to an exiting setup, an existing MX84 connects fine to two other MX84 spoke sites, the VPN connection is all good on those two.

The third spoke site using a MX64 shows VPN Registry Connected, NAT Friendly, Encrypted all in the green. however the status for the peer connection is in the red. This is the same for the hub site with the peer connection also red.

 

luckyphill_1-1659448573652.png

 

The only thing different about this new spoke site is that the Internet is provided by another company for us to use and the connection goes through their PaloAlto Firewall.

I've gone through the Meraki Site-to-Site VPN troubleshooting but that all checks out, I'm not sure where to check next.

Labels:
0 Kudos
Subscribe
1 Reply 1
MindOnMeraki
Meraki Employee
Meraki Employee
‎Aug 4 2022 11:32 AM
‎Aug 4 2022 11:32 AM

Hey @luckyphill,

 

The VPN registry is responsible for providing peer information to all of the MX's participating in the AutoVPN. Since it looks like the connectivity is good to the VPN registry servers, you'll want to focus on the traffic between the two peers that are unable to connect. Specifically, you'll want to make sure that both devices are able to communicate to one another via the public IP and port that is identified on the VPN status page under the 'NAT Type: Friendly' section.

 

If the devices are behind a NAT, which looks to be the case, you would check and make sure they can reach other via the NAT'd IP and port. For the spoke, it looks like at the very least it is communicating over UDP port 33333 and the Hub is communicating over UDP port 44377. To verify they can communicate, I would start with a packet capture on the active WAN interface of both MX's and confirm there is bidirectional communication between the two. If you're seeing unidirectional traffic on one end, that'll help you identify where the problem might be (routing, traffic filtering, etc.).

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.