Maybe you could help i have been having issues with a Tunnel I have between my MX84 and our provider which have an ASA at their end. We have been in contact with Cisco Meraki support to no avail and its been like this for almost a year, Cisco meraki even replaced the appliance for us.
We have a siste to site non Meraki tunnel between our MX84 and the ASA.
We have 2 VLans at our end that need site to site VPN VLAN 10 and VLAN30 (which is the VLAN created by Cisco Meraki for Client VPN) and we have varius subnets that we need to access on the ASA Side, lets say subnet A, B,C,D,E,F for simplicity.
At random we loose connection lets say to subnet A from VLAN 10 but on VLAN 30 it remains working or the other way round Subnet A is available on VLAN30 but not on VLAN10. (usually the latter is the case)
There is no explanation to when this happens or how many times it happens in a day, we could get it 5 times in a day and we could get it only once in 3 days.
We have contact also Cisco support which have been debugging the ASA and they found out that when the issue occurs as the MX84
Their finding was as follows
On checking the Syslog’s I’m seeing the discard packet ESP only reason for that is that peer end Meraki is sending Traffic on a different SPI then what ASA has
There is no SPI matching with this digit on the ASA which the far end is sending towards the ASA that is the reason it gets Discarded the moment the tunnel is clear new SA with SPI value are formed.
I would suggest getting this check from Meraki engineer to why the Meraki is sending the ESP packet with wrong SPI after a Rekey.
The only suggestion i got from Meraki was to change the appliance
We have been using the Meraki since 2018 but I must say that after experiencing this issue I will not eb suggesting Meraki to no one and as soon as the license expires i will definatly revert back to Cisco.
Any help is appreciated