Site to Site VPN behind Charter Spectrum

Craig_Tompkins
Here to help

Site to Site VPN behind Charter Spectrum

We have a user that has Charter Spectrum at her home.  Currently she has a Cisco 5505 ASA using DHCP on the WAN connection and it's connecting to our corporate ASA without issue.

As we are retiring our 5505s and moving to Meraki we have issued her a Z3 that was tested using DHCP on the WAN before being shipped to her.  When she removes the Ethernet cable from the ASA and plugs it into the Z3, the Z3 comes online.  However the site to site VPN does not get established.  The VPN registry shows connected.  NAT Type is Friendly. And it's encrypted.

 

The HUB it's trying to connect to has 33 other networks that are all up on the site to site without issue.

 

Packet capture from both the hub and the spoke show outgoing traffic but no incoming traffic.  This tells me there must be a firewall or something between them that is blocking this traffic.  Since my hub has so many other connections and doing a packet capture on my edge firewall (same device her 5505 connects to) shows the hub Meraki sending the traffic out, but no traffic from the spoke (same as the hub packet capture) my guess is that it's the Charter modem/router at her house or something at Charter.

 

We have reset the Z3 to factory defaults.  It checked in and download the config, but still have the same results.

 

Has anyone had a similar issue with Charter or any ISP for that matter?  This is the only location we have with Charter.  Other networks have AT&T, Comcast, CenturyLink and others.

8 REPLIES 8
PhilipDAth
Kind of a big deal
Kind of a big deal

I have no idea who Charter Spectrum is; does the Z3 plug into an ISP router?  If so, is there a firmware upgrade available for it?

I've had problems occasionally with ISP routers not NATing UDP traffic very well.  Doing dumb things like timing out UDP translations after 5s.

 

Charter Spectrum is a large cable company in the US.

 

The Z3 does plug into the ISP router, the ISP router provides a private IP in the 192.168.20.0/24 range that it of course NATs.  I'm not sure if there is an upgrade available or not.  This user is about a 8 hour drive from me so I'm working on scheduling some time to visit when I have a couple locations to visit in the same trip.  Probably 2 weeks.

 

I hope someone might have experienced this before and have a possible fix for me before that time.  I just have a feeling that when I get on site and call Charter the person I talk to is not going to have a clue what I'm talking about and either tell me it's an issue with my equipment and stop there (since we can browse the Internet) or if they do escalate it will be a week before they call back.

Some ISP routers have a firewall with a low/medium/high settings.

 

Perhaps you can do a remote session and take over the users machine and take a look at the ISP router before making the drive out?

 

Out of desperation, you could ask the user to try rebooting their ISP router as well.  Anything to save an 8-hour drive.

That's a great idea, except the user only has a zero client that connects to VMware Horizon and no personal computer we could use temporarily.  

Courier them a notebook?

cmr
Kind of a big deal
Kind of a big deal

According to this post they needed a reduced MTU and you can get support to reduce it on the MX VPN

 

https://www.reddit.com/r/networking/comments/9aob1n/slow_ipsec_vpn_over_spectrumcharter/

 

Another suggested a non-Motorola cable modem was the culprit

The user is reaching out to Charter to request a modem changes as she currently has an Arris modem.  We'll see if they are willing to swap it and if so, if that fixes the issue.

 

Thanks for all the suggestions.

I just went through this for my wife’s thin client/Z3 setup her company gave her.

 

I upgraded my spectrum equipment (from a surfboard of my own) to the latest spectrum offered to support higher bandwidth.

 

The Z3 initialized and would allow a WiFi connection (which the Avaya phone cannot do) but would not initialize the VPN over the WAN port.

 

I lowered the default DHCP setting from aggressive to normal, and enable PPPoE Passthrough (only passthrough disabled by default) and everything connected immediately.

 

since it’s working and I’m doing someone else’s job I haven’t gone back and isolated whether the pass through or the DHCP change did the trick. I am an app guy not a networking guy. I only posted here in case it could help someone. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels