cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site-to-Site VPN Down After MX Upgrade

SOLVED
Here to help

Site-to-Site VPN Down After MX Upgrade

I have had two sites connected via site-to-site VPN for years (MX80 at main office, MX64 at satellite office).

 

Yesterday I replaced the MX64 with an MX84; all good. VPN up. Removed MX64 from network and org.

 

This morning I replaced the MX80 with another MX84, removed MX80 from network and org.

VPN went down and is still down, but only between the two MX84 sites; everything else is up (including Z3 devices connected as VPN spokes to either or both sites/hubs).

 

Both sites have the same fiber Internet provider with static IPs.

 

Both sites can ping everything else except each other.

 

ISP support and Meraki support say all is good on their end.

 

Any advice?

1 ACCEPTED SOLUTION

Accepted Solutions
Here to help

Re: Site-to-Site VPN Down After MX Upgrade

Running firmware 14.38.

 

Problem solved. It was my silly mistake. When I configured the WAN IP on the second MX84, I forgot to change the subnet mask's host address from .0 to .248.

 

Since the public static IPs at the two sites happen to share the first three octets, the second MX wasn't responding to the VPN connection from the first one.

 

Lesson learned.

View solution in original post

5 REPLIES 5
Kind of a big deal

Re: Site-to-Site VPN Down After MX Upgrade

You have to re-enable VPN when you do a hardware swap. Did you do that under Security > Configure > Site to site VPN?

Here to help

Re: Site-to-Site VPN Down After MX Upgrade

Yes, we did that with Meraki support. Unfortunately, it did not help.

Kind of a big deal

Re: Site-to-Site VPN Down After MX Upgrade

Yeh I figured Meraki Support would have caught that if you hadn't. But never hurts to check.

 

In this case I'd be leaning into Meraki support to troubleshoot. You have no visibility into what's going wrong so it's up to them to tell you what is broken. Don't let them off the hook that easily 🙂

Kind of a big deal

Re: Site-to-Site VPN Down After MX Upgrade

Hmm, MX80 - what firmware version did you have the networks configured to run?  Perhaps the MX84 just had a massive firmware downgrade.

 

I would make sure both networks are configured to use a 14.x image.

Here to help

Re: Site-to-Site VPN Down After MX Upgrade

Running firmware 14.38.

 

Problem solved. It was my silly mistake. When I configured the WAN IP on the second MX84, I forgot to change the subnet mask's host address from .0 to .248.

 

Since the public static IPs at the two sites happen to share the first three octets, the second MX wasn't responding to the VPN connection from the first one.

 

Lesson learned.

View solution in original post

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.