Meraki

Community

Technical Site Site VPN with Non Meraki VPN Peer not establishing Ikev1 MX105 and Cisco 800 ISR

Solved
IFST
New here
a week ago
a week ago

Technical Site Site VPN with Non Meraki VPN Peer not establishing Ikev1 MX105 and Cisco 800 ISR

Dear Team,

I have a new Meraki MX 105 and I'm looking to establish a site-to-site VPN over IPsec with a Cisco 800 series router using IKEv1, while replacing an ASA firewall. Currently, the ASA firewall and 21 sites utilize Cisco ISR routers from the 800 and 900 series, and everything is functioning well.

The Meraki MX 105 is located at the head office and uses a DDNS service (dyndns.org), while the remote sites also have dynamic IP addresses from their ISPs. Both peer connections work well with the ASA and Cisco ISR routers, but when I switched to the MX, the sites fail to connect. The error message displayed is MM_NO_STATE.

If anyone has resolved a similar issue or has a sample configuration for a non-Meraki peer using dynamic IP addresses, please share it.

Thank you!

Labels:
0 Kudos
1 Accepted Solution
In response to IFST
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Meraki is much simpler to manage if you use all Meraki.  You're having complications because of mixing very old technology with very new technology. 

View solution in original post

8 Replies 8
MartinLL
Building a reputation
a week ago
a week ago

MM_NO_STATE means that it cant establish phase 1 of the tunnel. It could be some issues with Dyndns and how the ASA and MX resloves the names. Did you try setting it up with the assigned IPs instead of dns name just to see if it comes up?

MLL
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

>while the remote sites also have dynamic IP addresses

 

This is unlikely to work.  The non-Meraki VPN configuration requires you to specify a remote peer address.  Revent software does allow a DDNS name for the peer - but you don't mention that the remote peers have this configuration.

In response to PhilipDAth
IFST
New here
a week ago
a week ago

The Meraki side has its own dynamic name, but on the remote side Cisco 800, we don't have a dynamic name since it is a spoke connecting to the Meraki hub. Does this require DDNS on the remote side?

0 Kudos
alemabrahao
Kind of a big deal
a week ago
a week ago

The MM_NO_STATE error usually indicates that Phase 1 of IPsec negotiation is failing.

I tried using FQDN for Peer Identification. On Non-Meraki VPN Peers, set the Remote ID to match the FQDN (e.g., site1.dyndns.org) used by the Cisco router.
On the Cisco router, ensure that the isakmp encrypted identity is set to hostname or fqdn and matches what Meraki expects.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
IFST
New here
a week ago
a week ago

Hi,

I have DDNS set up at our headquarters, but when the Meraki device is replaced, it generates its own dynamic name. I’m wondering if I really need to configure DDNS for the site in Meraki and then input the hostname into the Cisco 800 router. Additionally, I would have to add the DynDNS link in the Cisco router using the IP DDNS update method via HTTP so that Meraki can recognize the site peer.

This seems like double entry, and I'm concerned because the DDNS in the Cisco router is unreliable; it doesn't resolve the public name immediately, and sometimes we need to manually add the public IP on dyndns.org. It's becoming a headache. In contrast, Cisco to ASA or other Cisco setups didn't have these issues. I thought Meraki would be easier to manage.

 

0 Kudos
In response to IFST
alemabrahao
Kind of a big deal
a week ago
a week ago

If your headquarters can get a static public IP then that simplifies things, but if that's not possible then my thinking is that you need to use DDNS on both ends, consider a cloud-based sync script or an API-based DDNS updater.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to IFST
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Meraki is much simpler to manage if you use all Meraki.  You're having complications because of mixing very old technology with very new technology. 

In response to PhilipDAth
IFST
New here
Monday
Monday

Yes, you are right. I was able to establish VPN connectivity with three sites using the old routers. Let me put them into production and see how it goes. Moving forward, I will place Meraki at the sites to replace the old ones.Thankyou all for the insights and support .I will post accordingly.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.