Site-to-Site VPN Down After MX Upgrade

SOLVED
Macauley86
Here to help

Site-to-Site VPN Down After MX Upgrade

I have had two sites connected via site-to-site VPN for years (MX80 at main office, MX64 at satellite office).

 

Yesterday I replaced the MX64 with an MX84; all good. VPN up. Removed MX64 from network and org.

 

This morning I replaced the MX80 with another MX84, removed MX80 from network and org.

VPN went down and is still down, but only between the two MX84 sites; everything else is up (including Z3 devices connected as VPN spokes to either or both sites/hubs).

 

Both sites have the same fiber Internet provider with static IPs.

 

Both sites can ping everything else except each other.

 

ISP support and Meraki support say all is good on their end.

 

Any advice?

1 ACCEPTED SOLUTION

Running firmware 14.38.

 

Problem solved. It was my silly mistake. When I configured the WAN IP on the second MX84, I forgot to change the subnet mask's host address from .0 to .248.

 

Since the public static IPs at the two sites happen to share the first three octets, the second MX wasn't responding to the VPN connection from the first one.

 

Lesson learned.

View solution in original post

5 REPLIES 5
jdsilva
Kind of a big deal

You have to re-enable VPN when you do a hardware swap. Did you do that under Security > Configure > Site to site VPN?

Yes, we did that with Meraki support. Unfortunately, it did not help.

jdsilva
Kind of a big deal

Yeh I figured Meraki Support would have caught that if you hadn't. But never hurts to check.

 

In this case I'd be leaning into Meraki support to troubleshoot. You have no visibility into what's going wrong so it's up to them to tell you what is broken. Don't let them off the hook that easily 🙂

PhilipDAth
Kind of a big deal
Kind of a big deal

Hmm, MX80 - what firmware version did you have the networks configured to run?  Perhaps the MX84 just had a massive firmware downgrade.

 

I would make sure both networks are configured to use a 14.x image.

Running firmware 14.38.

 

Problem solved. It was my silly mistake. When I configured the WAN IP on the second MX84, I forgot to change the subnet mask's host address from .0 to .248.

 

Since the public static IPs at the two sites happen to share the first three octets, the second MX wasn't responding to the VPN connection from the first one.

 

Lesson learned.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels