Site to Site VPN Problems when upgrading Hub MX to Firmware 15.44

Solved
Mike6116
Getting noticed

Site to Site VPN Problems when upgrading Hub MX to Firmware 15.44

Hi All

Looking for some advise here

 

At the moment i have 13 MX  that have  auto vpn configured,   all of them are running Firmware 15.44   and there is only one VPN HUB in the network  this HUB runs Firmware 14.53,  with this setting  the remote peers can connect an internal SAP app that we use at our remote locations,   the problems begin at the moment i upgrade the VPN HUB to 15.44 then all of the remote vpn peers start failing to connect to a local server that is in the same network as the VPN Hub,  when i upgrade i can ping the server wich is ip 192.168.2.13   so basic connectvitiy is there,  i took  packet capture  before and after firmware migration of the HUB

 

In this example  remote peer is 192.168.6.131   and the server to connect is 192.168.2.13

Im attaching a .rar  where the  capture is done in FW 15.44 and the peer cannot connect, and then i downgrade to 14.53 and take another capture where the same peer can connect to the server

 

this is a screenshot of the error i see when FW is 15.44

Mike6116_0-1635793245911.png

 

 

 

 

https://drive.google.com/file/d/1xHW4IxR7oCEI343N5UVVnrIAPYrFB8Nd/view?usp=sharing

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Try disabling IPS and AMP and see if it starts working.  If it does, you have narrowed it down to one area.

 

I would also check the security event log.

View solution in original post

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

Try disabling IPS and AMP and see if it starts working.  If it does, you have narrowed it down to one area.

 

I would also check the security event log.

Mike6116
Getting noticed

Hi Philip

 

Thank you for your answer

 

I have checked the security event log  for both sides  and there is no registry of any blocked item

 

I will perform an upgrade to 15.54 and disable AMP & IPS on the Hub  and check if it works, ill have to do this afterhours 

 

Mike

rhbirkelund
Kind of a big deal
Kind of a big deal

Not sure if you already have done this, but my experience is that you have to add the subnet which the HUBs IP recides on, as a local subnet to be advertised to the spokes, as well..

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Mike6116
Getting noticed

im already done it,  the spokes can see the hub local subnet and can ping each other with no issue at all

Mike6116
Getting noticed

I whitelisted the server to wich the remote peers connect to,  and then did a firmware upgrade  and the remote clients connected with no issues, so i will keep this config for now,   i will let know meraki support about this, because i have an open support ticket.

 

Thanks

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels