Meraki

Community

Site to Site VPN disconnecting - NAT Traversal fix

NickatEFW
New here
yesterday
yesterday

Site to Site VPN disconnecting - NAT Traversal fix

One of our spokes in our Hub/Spoke topology disconnected.  The tunnel no longer displayed in the VPN Status page of our Hub and did not show an active tunnel despite being setup the same as every other remote station we have. 

 

The error message on the VPN Status page for this spoke stated: 

VPN Registry: This WAN appliance is unable to connect to any VPN registries using outbound UDP ports  & .

NAT Type: Insufficient Registry Information.  This WAN appliance has not been able to communicate with the registry

 

We tried turning the tunnel off and on to no avail.  I then switched from Automatic NAT traversal to manually configuring NAT Traversal with the remote station's Public IP and a random port.  It worked for approximately 12 hours before disconnecting again.  I then switched back to Automatic, and now it is up again for the time being.  None of our other spokes have experienced this issue.

 

Anyone experienced this issue before? If so, what was the cause?  Logs aren't showing much other than a the tunnel disconnecting.  Or if there is a particular log I should be searching for which may provide clues?

 

I am hoping switching back to Automatic permanently solves the issue but still monitoring. 

Labels:
0 Kudos
4 Replies 4
RaphaelL
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Hi ,

 

Possible to perform a packet capture on the WAN interface of your MX ? Sounds like upstream device ( firewall ) is either dropping / blocking the VPN registry flow. Stale session ? I have seen and experienced something like that in the past.

0 Kudos
Inderdeep
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Troubleshooting 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Troubleshooting 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
0 Kudos
RWelch
Head in the Cloud
yesterday
yesterday

Agree with @RaphaelL 

If the Security & SD-WAN > Monitor > VPN status page for a given network reports either "NAT type: Unfriendly" or "VPN Registry: Disconnected", there is likely a device upstream of the WAN Appliance for that site that is preventing AutoVPN from working correctly.

Perhaps these links below could be of further assistance to you:
Site-to-Site VPN Troubleshooting 

For more information on these two error messages and VPN registry troubleshooting in general, reference our documentation regarding Troubleshooting VPN Registration for Meraki AutoVPN.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

My punt is that this spoke is sitting behind something else doing NAT.  Is that correct?

 

If you have a static public IP address then port something like udp/10000 (exact number not important) to the MX and then configure it to use manual NAT traversal again.

 

Otherwise try updating the firmware on the CPE in from of the MX that is doing NAT.

 

If the CPE has a firewall try turning it off.  Some CPEs have a mode like "DMZ" you can use to pass all traffic through.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.