Meraki

Community

Site to Site VPN Port Issue

Solved
CMTech1
Getting noticed
‎Oct 31 2018 12:37 PM
‎Oct 31 2018 12:37 PM

Site to Site VPN Port Issue

Hi,

 

I have an issue I'm at a loss with and looking for any possible guidance. Our Corp Office has a MX and remote site had SonicWALL (SW). We then upgraded the SonicWALL with a Meraki and we have one issue we just can't figure out.

 

After we replaced the SW with an MX at remote site we lost connection with our Motorola handheld devices to the App Server used for MFG scanning. The handhelds are Motorola MC9100 series and can connect to the WiFi network, able to access local network resources as well as internet. However, when we run the inventory app it just freeze and never launches. If we connect the handheld through a PC via a cradle it works fine and able to connect to the server app back to Corp Off. We tested connection via a laptop on same wireless and could telnet to Corp Off without issue as handshake worked using same protocol (Telnet) so we know it's not the actual port being blocked (10.10.10.10:4000). VPN tunnel firewall rule is Any/Any, disabled AMP and IPS on both sides and still not passing with handheld on wireless.

 

Any ideas? Thanks, Mark

0 Kudos
1 Accepted Solution
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Oct 31 2018 1:18 PM
‎Oct 31 2018 1:18 PM

Just an idea instead of relying on an Any/any rule what happens if you add another rule that actually specifys the ports you require?

 

I've seen weird things with any/any rules on other fireswalls not actually working properly. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

0 Kudos
4 Replies 4
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Oct 31 2018 1:18 PM
‎Oct 31 2018 1:18 PM

Just an idea instead of relying on an Any/any rule what happens if you add another rule that actually specifys the ports you require?

 

I've seen weird things with any/any rules on other fireswalls not actually working properly. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to BlakeRichardson
CMTech1
Getting noticed
‎Nov 1 2018 8:30 AM
‎Nov 1 2018 8:30 AM

Hi BlakeRichardson..........Thanks for the info though the change didn't help so rolled it back.

However, after further testing today I found the issue though scratching my head. Since the site is considered a spoke and I'm the hub I set the corp office VPN as the default within the Site-to-Site and this system started to work again. Not sure why, but not looking the gift horse in the mouth 🙂

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 31 2018 2:51 PM
‎Oct 31 2018 2:51 PM

You are almost certainly experiencing an MSS squeeze.  If you have a Windows client you can determine the maximum MTU by using a ping command like this:

 

ping <app server> -f -l 1400

 

If the ping works, increase the size (above 1400).  If it fails, reduce the number.  Keep going to you get the maximum size that works.

 

 

What OS is the App Server running?  I can probably suggest the command to run to adjust the MSS or MTU on that side to resolve the issue.

In response to PhilipDAth
CMTech1
Getting noticed
‎Nov 1 2018 8:33 AM
‎Nov 1 2018 8:33 AM

Hi PhilipDAth.   Thanks for the info, but not a network speed issue and seems to be a session layer issue. I just found the solution to be related to the site-to-site default setting needing to be set to corp office though not 100% sure why, however it works now.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.