Site to Site VPN (Meraki to ASA 5510)

Zach
Comes here often

Site to Site VPN (Meraki to ASA 5510)

The Cisco ASA 5510 is on code 9.1(2). The Meraki is a MX100 that is brand new and being setup for the first time.

 

Phase 1 is establishing but it appears it is not even attempting Phase 2 so while it is showing up no traffic is passing.

 

Apr 17 12:25:15 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA established ****[500]-****[500] spi:152245679cb0e554:3a66f483f91c3683
Apr 17 12:25:15 Non-Meraki / Client VPN negotiationmsg: initiate new phase 1 negotiation: *****[500]<=>****[500]

 

I have the same subnets on both sides. NAT-T has been turned off on the ASA and  exempt ASA side host/network from address translation

 

Phase 1
Encryption                  AES 256             
Authentication                  SHA1             
Diffie-Hellman group                   2            
Lifetime (seconds)28800
Phase 2
Encryption                  3DES                 
 
Authentication                  SHA1       
 
PFS group                  Off            
Lifetime (seconds)28800

 

 

Contacted support but they are trying to blame the subnets even though they are the same on each side. Any help or thoughts would be appreciated.

11 Replies 11
NSGuru
Getting noticed

@Zach

 

Can you clarify what you mean by they are the same subnet on each side?

 

What are the subnets and networks for each side today? 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
Zach
Comes here often

 

I mean the same such as 172.30.100.0/24 etc. They said I could not use any summarized subnets.

PhilipDAth
Kind of a big deal
Kind of a big deal

Note that Meraki has poor DES/3DES throughput.  Only use AES.

 

Which side are you trying to generate traffic from?  ASA or MX?

 

There is no reason to disable NAT-T.

 

Double check the Phase-2 settings are the same on both sides.

 

 

Zach
Comes here often

Meraki uses 3DES by default I am surprised by that.

 

I have tried both sides.

 

A couple of the guides I found stated to disable it. 

 

I have triple checked the settings and they are the same.

wbenton
Here to help

Are your ASA Sec Lists and Meraki's VPN subnets exactly the same?

akan33
Building a reputation

I have had issues with Meraki and ASA since I implemented it back in October, I have a ticket opened with them (since October too) and today we still have to reset the tunnel in the ASA side every now and then (random) as we don't know what's going on and it is really frustrating.

 

I have tested everything and next step is going to be removing the MX if no fix is provided within a couple of weeks (we have another ASA in the same location as Meraki working perfectly).

 

- crypto ACLs completely mirrored in both sides

- Phase I is stable as you state, but phase 2 randomly stops passing traffic.

- changed encryption algorithms multiple times and lifetime.

- removed data lifetime since the beginning without success.

- DPD configured in ASA since the beginning as it was requested by Meraki.

- ASA running 9.1 and Meraki 13.28. 

- Support keeps passing the ticket from one engineer to another without any real progress.

 

I also wonder at this point what is their support SLA as a ticket opened for 5-6 months without been resolved is really annoying 🙂

 

regards.

PhilipDAth
Kind of a big deal
Kind of a big deal

Do you devices have a public IP address configured directly on their outside interfaces?
akan33
Building a reputation

in my case yes. and no packet loss or big latency while happening.

 

we also configured a probe from a meraki subnet to continuously ping the remote end subnets (to avoid tunnel expiration) but same result. 

wbenton
Here to help

>>>still have to reset the tunnel in the ASA side every now and then (random) as we don't know what's going on and it is really frustrating.<<<

 

Have you tried using some kind of keep-alive ping or other traffic from the LAN side of your Meraki to the WAN/VPN side say once every 5 minutes?

akan33
Building a reputation

yes, that was suggested by Meraki support too and we have a probe continuously pinging from the meraki subnet towards the remote end subnets without success. 

PhilipDAth
Kind of a big deal
Kind of a big deal

We seem to have had @Zach's question hi-jacked (nicely) and now have two separate issues in the one thread.  Back to @Zach's issue.

 

9.1(2) is an "early deployment" release of the ASA code.  The current "gold star" release is asa917-25-k8.bin.  Is it possible to upgrade the ASA to this "gold star" release?

 

https://software.cisco.com/download/home/279916854/type/280775065/release/9.1.7%20Interim

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels