The Cisco ASA 5510 is on code 9.1(2). The Meraki is a MX100 that is brand new and being setup for the first time.
Phase 1 is establishing but it appears it is not even attempting Phase 2 so while it is showing up no traffic is passing.
Apr 17 12:25:15 | Non-Meraki / Client VPN negotiation | msg: ISAKMP-SA established ****[500]-****[500] spi:152245679cb0e554:3a66f483f91c3683 | |
Apr 17 12:25:15 | Non-Meraki / Client VPN negotiation | msg: initiate new phase 1 negotiation: *****[500]<=>****[500] |
I have the same subnets on both sides. NAT-T has been turned off on the ASA and exempt ASA side host/network from address translation
Encryption | AES 256 |
Authentication | SHA1 |
Diffie-Hellman group | 2 |
Lifetime (seconds)28800 |
Encryption | 3DES |
Authentication | SHA1 |
PFS group | Off |
Lifetime (seconds)28800 |
Contacted support but they are trying to blame the subnets even though they are the same on each side. Any help or thoughts would be appreciated.
Can you clarify what you mean by they are the same subnet on each side?
What are the subnets and networks for each side today?
I mean the same such as 172.30.100.0/24 etc. They said I could not use any summarized subnets.
Note that Meraki has poor DES/3DES throughput. Only use AES.
Which side are you trying to generate traffic from? ASA or MX?
There is no reason to disable NAT-T.
Double check the Phase-2 settings are the same on both sides.
Meraki uses 3DES by default I am surprised by that.
I have tried both sides.
A couple of the guides I found stated to disable it.
I have triple checked the settings and they are the same.
Are your ASA Sec Lists and Meraki's VPN subnets exactly the same?
I have had issues with Meraki and ASA since I implemented it back in October, I have a ticket opened with them (since October too) and today we still have to reset the tunnel in the ASA side every now and then (random) as we don't know what's going on and it is really frustrating.
I have tested everything and next step is going to be removing the MX if no fix is provided within a couple of weeks (we have another ASA in the same location as Meraki working perfectly).
- crypto ACLs completely mirrored in both sides
- Phase I is stable as you state, but phase 2 randomly stops passing traffic.
- changed encryption algorithms multiple times and lifetime.
- removed data lifetime since the beginning without success.
- DPD configured in ASA since the beginning as it was requested by Meraki.
- ASA running 9.1 and Meraki 13.28.
- Support keeps passing the ticket from one engineer to another without any real progress.
I also wonder at this point what is their support SLA as a ticket opened for 5-6 months without been resolved is really annoying 🙂
regards.
in my case yes. and no packet loss or big latency while happening.
we also configured a probe from a meraki subnet to continuously ping the remote end subnets (to avoid tunnel expiration) but same result.
>>>still have to reset the tunnel in the ASA side every now and then (random) as we don't know what's going on and it is really frustrating.<<<
Have you tried using some kind of keep-alive ping or other traffic from the LAN side of your Meraki to the WAN/VPN side say once every 5 minutes?
yes, that was suggested by Meraki support too and we have a probe continuously pinging from the meraki subnet towards the remote end subnets without success.
We seem to have had @Zach's question hi-jacked (nicely) and now have two separate issues in the one thread. Back to @Zach's issue.
9.1(2) is an "early deployment" release of the ASA code. The current "gold star" release is asa917-25-k8.bin. Is it possible to upgrade the ASA to this "gold star" release?
https://software.cisco.com/download/home/279916854/type/280775065/release/9.1.7%20Interim