Site-to-Site VPN Continues to Disconnect

johnny101boy010
New here

Site-to-Site VPN Continues to Disconnect

For the last few months, we have been having problems with our S2S VPN connection between all our Meraki sites and our Cisco Firepower 2110. We use IKEv1 (because, for the longest time, Meraki didn't support IKEv2), and every morning, certain networks would stop passing traffic from our Cisco FTD to our Meraki sites. In order to, temporarily, resolve this, we would ping each Meraki locations' primary IP address, and the tunnel would reestablish. This would last the rest of the day.

 

Half of our networks reestablish with no issues (VoIP VLAN, Primary VLAN, Security VLAN, etc.), but two of our newer networks (Servers and New Default DHCP) have continuous problems (which, of course, both of these networks control the users' ability to sign in and authenticate properly).

 

I opened up a case with support and was told to move to IKEv2. Last night, I did just that, and now our "trouble networks" are behaving even worse. About every 10 minutes, a critical network from our Cisco FTD would stop passing traffic to all Meraki sites. I created a constant ping to all these locations, but it, clearly, wasn't working.

 

We are running on version MR 30.6 and MS/CS 16.8 for our Meraki equipment and 7.4.2.1-30 on our Cisco FTD.

 

So here is my question: Has anyone else had a problem like this? If so, how did you resolve it?

15 Replies 15
Inderdeep
Kind of a big deal
Kind of a big deal
johnny101boy010
New here

Thanks for those articles! I have looked through our logs and theirs extensively over the last few weeks. What we are seeing is a lot of "established" and "closed" errors in our logs within the same minute of time:

johnny101boy010_0-1732641473635.png

cmr
Kind of a big deal
Kind of a big deal

What MX firmware version are you running?

Do you have more than one subnet on the IPSEC VPN?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
johnny101boy010
New here

We are running on version MR 30.6 and MS/CS 16.8 for our Meraki equipment. Yes, we are pushing multiple subnets across our tunnel.

cmr
Kind of a big deal
Kind of a big deal

Do you not have any MXs?  How are you doing the VPN?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
johnny101boy010
New here

Sorry! I forgot to include that in the reply. We are running MX 18.211.2.

PhilipDAth
Kind of a big deal
Kind of a big deal

I am 80% confident this will relate to multiple SA establishment.

 

Some firewalls use a single SA for the connection between them.  You add the first subnet combination to the created SA.  If there is another you append it to the existing SA.

 

Some firewalls us an SA per subnet combination.  They setup an SA and add a subnet combination, and then setup another SA and add a second combination.

 

The trouble is when you mix these two types of firewall.  If a firewall that uses a single SA sees a second SA coming in - it deletes the first SA.  The result is you can only ever have a single subnet combinaiton working.

 

I believe Meraki uses an SA per subnet combination when using IKEv1.  I believe when using IKEv2 you can only have one subnet combination active at a time.  Note that restriction for IKEv2.

 

The issue might also depend on which side tries to add the subnet combination (it might work one way but not the other).

 

All of this makes it look the VPNs are randomly going up and down.

 

 

The solution most likely to resolve this is to use a single subnet combination.  Hopefully you can re-factor them to allow this to happen.

 

Otherwise, what I would personally do, is put an MX in VPN concentrator mode behind your Firepower and use AutoVPN.  This will 100% solve the issue.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide

 

You oly need an MX big enough to cope with the number of spokes required (and I guess the encrypted VPN throughput you want).

https://documentation.meraki.com/MX/MX_Sizing_Information/MX_Sizing_Principles

 

GIdenJoe
Kind of a big deal
Kind of a big deal

On an FTD you can actually check the SA's by using show crypto ipsec sa detail.
There you can check each local and remote pairing.  If each of them has a different SPI then the FTD is using different SA's per local/remote network pairing and then you will run into the issue you are mentioning.

johnny101boy010
New here

I do see different spi's for each connection. Do I need to do what @PhilipDAth is mentioning?

cmr
Kind of a big deal
Kind of a big deal

Yes!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
johnny101boy010
New here

Thanks for all this information! Do you know the best way to configure a single subnet combination?

 

Thanks!

PhilipDAth
Kind of a big deal
Kind of a big deal

You might be able to do something like 192.168.0.0/16 to the site subnet.

johnny101boy010
New here

I wish we were only operating under the 192.168.0.0 subnet, but we aren't 😞 We have 10.0.0.0 IP addresses as well.

PhilipDAth
Kind of a big deal
Kind of a big deal

If it was me, and because I like my life to be simple, and I like to be able to go on holiday and have anything  go wrong - I would put in a VPN concentrator behind FirePower.

johnny101boy010
New here

While I do see that solution will work, I just can't believe that, essentially, equipment made from the same company doesn't "natively" work well together. The fact that I would have to purchase additional equipment from Meraki to make this work seems ridiculous. *Sigh*

Get notified when there are additional replies to this discussion.