Meraki

Community

Site-to-Site VPN Continues to Disconnect

johnny101boy010
New here
7 hours ago
7 hours ago

Site-to-Site VPN Continues to Disconnect

For the last few months, we have been having problems with our S2S VPN connection between all our Meraki sites and our Cisco Firepower 2110. We use IKEv1 (because, for the longest time, Meraki didn't support IKEv2), and every morning, certain networks would stop passing traffic from our Cisco FTD to our Meraki sites. In order to, temporarily, resolve this, we would ping each Meraki locations' primary IP address, and the tunnel would reestablish. This would last the rest of the day.

 

Half of our networks reestablish with no issues (VoIP VLAN, Primary VLAN, Security VLAN, etc.), but two of our newer networks (Servers and New Default DHCP) have continuous problems (which, of course, both of these networks control the users' ability to sign in and authenticate properly).

 

I opened up a case with support and was told to move to IKEv2. Last night, I did just that, and now our "trouble networks" are behaving even worse. About every 10 minutes, a critical network from our Cisco FTD would stop passing traffic to all Meraki sites. I created a constant ping to all these locations, but it, clearly, wasn't working.

 

We are running on version MR 30.6 and MS/CS 16.8 for our Meraki equipment and 7.4.2.1-30 on our Cisco FTD.

 

So here is my question: Has anyone else had a problem like this? If so, how did you resolve it?

0 Kudos
15 Replies 15
Inderdeep
Kind of a big deal
Kind of a big deal
7 hours ago
7 hours ago

Troubleshooting 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Troubleshooting 

https://community.spiceworks.com/t/meraki-site-to-site-vpn-troubleshooting-options/599868 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
In response to Inderdeep
johnny101boy010
New here
6 hours ago
6 hours ago

Thanks for those articles! I have looked through our logs and theirs extensively over the last few weeks. What we are seeing is a lot of "established" and "closed" errors in our logs within the same minute of time:

johnny101boy010_0-1732641473635.png

0 Kudos
In response to johnny101boy010
cmr
Kind of a big deal
Kind of a big deal
6 hours ago
6 hours ago

What MX firmware version are you running?

Do you have more than one subnet on the IPSEC VPN?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
johnny101boy010
New here
4 hours ago
4 hours ago

We are running on version MR 30.6 and MS/CS 16.8 for our Meraki equipment. Yes, we are pushing multiple subnets across our tunnel.

0 Kudos
In response to johnny101boy010
cmr
Kind of a big deal
Kind of a big deal
4 hours ago
4 hours ago

Do you not have any MXs?  How are you doing the VPN?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
johnny101boy010
New here
4 hours ago
4 hours ago

Sorry! I forgot to include that in the reply. We are running MX 18.211.2.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
6 hours ago
6 hours ago

I am 80% confident this will relate to multiple SA establishment.

 

Some firewalls use a single SA for the connection between them.  You add the first subnet combination to the created SA.  If there is another you append it to the existing SA.

 

Some firewalls us an SA per subnet combination.  They setup an SA and add a subnet combination, and then setup another SA and add a second combination.

 

The trouble is when you mix these two types of firewall.  If a firewall that uses a single SA sees a second SA coming in - it deletes the first SA.  The result is you can only ever have a single subnet combinaiton working.

 

I believe Meraki uses an SA per subnet combination when using IKEv1.  I believe when using IKEv2 you can only have one subnet combination active at a time.  Note that restriction for IKEv2.

 

The issue might also depend on which side tries to add the subnet combination (it might work one way but not the other).

 

All of this makes it look the VPNs are randomly going up and down.

 

 

The solution most likely to resolve this is to use a single subnet combination.  Hopefully you can re-factor them to allow this to happen.

 

Otherwise, what I would personally do, is put an MX in VPN concentrator mode behind your Firepower and use AutoVPN.  This will 100% solve the issue.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

 

You oly need an MX big enough to cope with the number of spokes required (and I guess the encrypted VPN throughput you want).

https://documentation.meraki.com/MX/MX_Sizing_Information/MX_Sizing_Principles

 

In response to PhilipDAth
GIdenJoe
Kind of a big deal
Kind of a big deal
5 hours ago
5 hours ago

On an FTD you can actually check the SA's by using show crypto ipsec sa detail.
There you can check each local and remote pairing.  If each of them has a different SPI then the FTD is using different SA's per local/remote network pairing and then you will run into the issue you are mentioning.

In response to GIdenJoe
johnny101boy010
New here
4 hours ago
4 hours ago

I do see different spi's for each connection. Do I need to do what @PhilipDAth is mentioning?

In response to johnny101boy010
cmr
Kind of a big deal
Kind of a big deal
4 hours ago
4 hours ago

Yes!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to PhilipDAth
johnny101boy010
New here
4 hours ago
4 hours ago

Thanks for all this information! Do you know the best way to configure a single subnet combination?

 

Thanks!

0 Kudos
In response to johnny101boy010
PhilipDAth
Kind of a big deal
Kind of a big deal
3 hours ago
3 hours ago

You might be able to do something like 192.168.0.0/16 to the site subnet.

0 Kudos
In response to PhilipDAth
johnny101boy010
New here
3 hours ago
3 hours ago

I wish we were only operating under the 192.168.0.0 subnet, but we aren't 😞 We have 10.0.0.0 IP addresses as well.

In response to johnny101boy010
PhilipDAth
Kind of a big deal
Kind of a big deal
3 hours ago
3 hours ago

If it was me, and because I like my life to be simple, and I like to be able to go on holiday and have anything  go wrong - I would put in a VPN concentrator behind FirePower.

In response to PhilipDAth
johnny101boy010
New here
3 hours ago
3 hours ago

While I do see that solution will work, I just can't believe that, essentially, equipment made from the same company doesn't "natively" work well together. The fact that I would have to purchase additional equipment from Meraki to make this work seems ridiculous. *Sigh*

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.