Meraki

Community

Site-to-Site VPN down - Spoke to Hub

Solved
guitb
Here to help
yesterday
yesterday

Site-to-Site VPN down - Spoke to Hub

I have an environment with dual HUBs (A and B) and numerous spokes.

 

Currently, one spoke is unable to establish a VPN connection to HUB B, while the connection to HUB A is stable.

All other spokes are operating without issue.

 

Given the absence of relevant event log entries, what are the recommended methods for troubleshooting this specific VPN connection failure?

Labels:
0 Kudos
1 Accepted Solution
In response to guitb
tnco
Getting noticed
yesterday
yesterday

In the case of Meraki's Auto vpn, the following port range is used to contact the VPN registries for the first time. After that, UDP communication is performed to each other's global IP using the following port range as the source. This uses UDP hole punching technology.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

 

Any devices sitting upstream of a WAN Appliance will need the following destinations whitelisted so the WAN Appliance can communicate with the Auto VPN registries:

Port
UDP 9350-9381
IP range for non-China cloud (meraki.com):
209.206.48.0/20
158.115.128.0/19
216.157.128.0/20

IP range for China cloud (meraki.cn):
43.192.139.128/25
43.196.13.128/25

 

Ports used for IPsec tunneling:
Source UDP port range 32768-61000
Destination UDP port range 32768-61000

 

I recommend the troubleshooting methods in this article.

 

https://community-meraki-com.translate.goog/t5/-/-/ba-p/194614?_x_tr_sl=ja&_x_tr_tl=en&_x_tr_hl=en&_...

View solution in original post

6 Replies 6
RaphaelL
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Hi ,

 

I would start with a packet capture on the WAN interface(s) of your spoke. Do you see VPN traffic going to HUB B ?

 

What does the page VPN status page reports ?

guitb
Here to help
yesterday
yesterday

VPN Status page shows HUB A in Green and HUB B in red.

 

Only one WAN interface is in use. Which settings should I use for packet capture? Interface: Site-to-Site VPN only? How do I filter the packets to show only HUB B?

0 Kudos
In response to guitb
RaphaelL
Kind of a big deal
Kind of a big deal
yesterday
yesterday

In that case the interface would be 'internet' or 'internet 1'

In response to RaphaelL
guitb
Here to help
yesterday
yesterday

Thank you! Would you know what is the IP address Meraki devices use to establish this VPN tunnel?

0 Kudos
In response to guitb
RaphaelL
Kind of a big deal
Kind of a big deal
yesterday
yesterday

The public IP of your HUB and 'WAN' IP of your spoke. UDP 4500 if you use the default ports.

In response to guitb
tnco
Getting noticed
yesterday
yesterday

In the case of Meraki's Auto vpn, the following port range is used to contact the VPN registries for the first time. After that, UDP communication is performed to each other's global IP using the following port range as the source. This uses UDP hole punching technology.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

 

Any devices sitting upstream of a WAN Appliance will need the following destinations whitelisted so the WAN Appliance can communicate with the Auto VPN registries:

Port
UDP 9350-9381
IP range for non-China cloud (meraki.com):
209.206.48.0/20
158.115.128.0/19
216.157.128.0/20

IP range for China cloud (meraki.cn):
43.192.139.128/25
43.196.13.128/25

 

Ports used for IPsec tunneling:
Source UDP port range 32768-61000
Destination UDP port range 32768-61000

 

I recommend the troubleshooting methods in this article.

 

https://community-meraki-com.translate.goog/t5/-/-/ba-p/194614?_x_tr_sl=ja&_x_tr_tl=en&_x_tr_hl=en&_...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.