Oh boy. We were having issues with that same version of firmware for our MX-100, for half a year. We use AWS with a VPC to Meraki, and every time we upgraded the MX firmware from v14.x to v15.x, our connection to AWS would break. Certain indicators within Meraki showed that things were "working" on the Meraki side, but that the AWS side was not responding. We were told to pay for AWS support and to work with them on it, as the issue was apparently with AWS. We were getting desperate and nearly ponied up.
Something kept nagging at me: the fact that the connection would work just fine for 5-10 minutes after the initial upgrade, or after we refreshed the VPC tunnel connection on the AWS side. Why would a firmware upgrade break everything, but allow things to work for a period of time after the swap?
Yesterday, we were finally able to get it going. Here are the steps we took. Huge props go out to Meraki support rep Lily Le for helping my team to zero in on the solution.
- Upgrade to firmware 15.44
- Change the IKE version to IKEv2
- This will not work on IKEv1, from what I can tell
- Make sure something is set in the RemoteID section
- We just re-pasted our Public IP in the RemoteID
- The Local ID is still blank on our configuration
- This is a step we missed on all of our previous failed attempts
- On the AWS side, modify VPN tunnel options
- Verify your pre-shared key
- Uncheck IKEv1, and make sure IKEv2 is checked
- In previous attempts, we had the correct pre-shared key saved, but we also had both IKEv1 AND IKEv2 selected. In the successful attempt, we only had IKEv2 selected
- Confirm UP Tunnel Modification, then save
- Voila. Your VPC tunnel will take a few minutes to update its state, but you might be in business now
In the end, Meraki was partially right- there was an AWS setting that needed to be changed. That said, on the Meraki side we also needed to have the RemoteID piece in place, and use IKEv2 (other reps I worked with in the past maintained we could still use IKEv1).
I hope someone out there can benefit from our 6+ months of troubleshooting this issue!