Meraki

Community

Site to Site VPN (Meraki to ASA 5510)

Zach
Comes here often
‎Apr 17 2018 12:37 PM
‎Apr 17 2018 12:37 PM

Site to Site VPN (Meraki to ASA 5510)

The Cisco ASA 5510 is on code 9.1(2). The Meraki is a MX100 that is brand new and being setup for the first time.

 

Phase 1 is establishing but it appears it is not even attempting Phase 2 so while it is showing up no traffic is passing.

 

Apr 17 12:25:15 Non-Meraki / Client VPN negotiationmsg: ISAKMP-SA established ****[500]-****[500] spi:152245679cb0e554:3a66f483f91c3683
Apr 17 12:25:15 Non-Meraki / Client VPN negotiationmsg: initiate new phase 1 negotiation: *****[500]<=>****[500]

 

I have the same subnets on both sides. NAT-T has been turned off on the ASA and  exempt ASA side host/network from address translation

 

Phase 1
Encryption                  AES 256             
Authentication                  SHA1             
Diffie-Hellman group                   2            
Lifetime (seconds)28800
Phase 2
Encryption                  3DES                 
 
Authentication                  SHA1       
 
PFS group                  Off            
Lifetime (seconds)28800

 

 

Contacted support but they are trying to blame the subnets even though they are the same on each side. Any help or thoughts would be appreciated.

0 Kudos
11 Replies 11
NSGuru
Getting noticed
‎Apr 17 2018 12:41 PM
‎Apr 17 2018 12:41 PM

@Zach

 

Can you clarify what you mean by they are the same subnet on each side?

 

What are the subnets and networks for each side today? 

Cloud Network Engineer | cloudIT
Certified Meraki Networking Associate

Kudo this if it helped! 🙂
0 Kudos
In response to NSGuru
Zach
Comes here often
‎Apr 17 2018 1:24 PM
‎Apr 17 2018 1:24 PM

 

I mean the same such as 172.30.100.0/24 etc. They said I could not use any summarized subnets.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 17 2018 1:00 PM
‎Apr 17 2018 1:00 PM

Note that Meraki has poor DES/3DES throughput.  Only use AES.

 

Which side are you trying to generate traffic from?  ASA or MX?

 

There is no reason to disable NAT-T.

 

Double check the Phase-2 settings are the same on both sides.

 

 

0 Kudos
In response to PhilipDAth
Zach
Comes here often
‎Apr 17 2018 1:26 PM
‎Apr 17 2018 1:26 PM

Meraki uses 3DES by default I am surprised by that.

 

I have tried both sides.

 

A couple of the guides I found stated to disable it. 

 

I have triple checked the settings and they are the same.

0 Kudos
wbenton
Here to help
‎Apr 17 2018 10:51 PM
‎Apr 17 2018 10:51 PM

Are your ASA Sec Lists and Meraki's VPN subnets exactly the same?

0 Kudos
akan33
Building a reputation
‎Apr 18 2018 12:54 AM
‎Apr 18 2018 12:54 AM

I have had issues with Meraki and ASA since I implemented it back in October, I have a ticket opened with them (since October too) and today we still have to reset the tunnel in the ASA side every now and then (random) as we don't know what's going on and it is really frustrating.

 

I have tested everything and next step is going to be removing the MX if no fix is provided within a couple of weeks (we have another ASA in the same location as Meraki working perfectly).

 

- crypto ACLs completely mirrored in both sides

- Phase I is stable as you state, but phase 2 randomly stops passing traffic.

- changed encryption algorithms multiple times and lifetime.

- removed data lifetime since the beginning without success.

- DPD configured in ASA since the beginning as it was requested by Meraki.

- ASA running 9.1 and Meraki 13.28. 

- Support keeps passing the ticket from one engineer to another without any real progress.

 

I also wonder at this point what is their support SLA as a ticket opened for 5-6 months without been resolved is really annoying 🙂

 

regards.

0 Kudos
In response to akan33
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 18 2018 1:05 AM
‎Apr 18 2018 1:05 AM

Do you devices have a public IP address configured directly on their outside interfaces?
0 Kudos
In response to PhilipDAth
akan33
Building a reputation
‎Apr 18 2018 1:09 AM
‎Apr 18 2018 1:09 AM

in my case yes. and no packet loss or big latency while happening.

 

we also configured a probe from a meraki subnet to continuously ping the remote end subnets (to avoid tunnel expiration) but same result. 

0 Kudos
In response to akan33
wbenton
Here to help
‎Apr 18 2018 1:29 AM
‎Apr 18 2018 1:29 AM

>>>still have to reset the tunnel in the ASA side every now and then (random) as we don't know what's going on and it is really frustrating.<<<

 

Have you tried using some kind of keep-alive ping or other traffic from the LAN side of your Meraki to the WAN/VPN side say once every 5 minutes?

0 Kudos
In response to wbenton
akan33
Building a reputation
‎Apr 18 2018 1:31 AM
‎Apr 18 2018 1:31 AM

yes, that was suggested by Meraki support too and we have a probe continuously pinging from the meraki subnet towards the remote end subnets without success. 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 18 2018 1:44 AM
‎Apr 18 2018 1:44 AM

We seem to have had @Zach's question hi-jacked (nicely) and now have two separate issues in the one thread.  Back to @Zach's issue.

 

9.1(2) is an "early deployment" release of the ASA code.  The current "gold star" release is asa917-25-k8.bin.  Is it possible to upgrade the ASA to this "gold star" release?

 

https://software.cisco.com/download/home/279916854/type/280775065/release/9.1.7%20Interim

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.