Third-party site-to-site vpn failing/recovering at random

SOLVED
Nash
Kind of a big deal

Third-party site-to-site vpn failing/recovering at random

I have a site to site tunnel between an ASA5525 and an MX65. I control both ends.

 

Tunnel had been running successfully for several months, so far as my team was aware. Recently, it's begun failing at random then recovering after 5-20 minutes without us doing anything.

 

When I review the event log on the MX, I see from earliest to latest:

 

1. msg: IPsec-SA expired: ESP/Tunnel

2. msg: initiate new phase 2 negotiation

3. msg: notification NO-PROPOSAL-CHOSEN received in informational exchange (repeats 5 times)

 

Cycle repeats for 5-20 minutes, then tunnel establishes p2 again just fine.

 

I've confirmed that both phase 1 and phase 2 match on each end. Coworkers looked too! But we're still getting this behavior.

 

Current settings:

 

p1: 3DES/SHA1/DH2/Lifetime 28800

p2: AES256/SHA1/no PFS/28800

 

Anyone have any suggestions? I have filed a more detailed ticket with Support.

1 ACCEPTED SOLUTION
Nash
Kind of a big deal

So my subnets and settings all matched. The culprit here?

 

The MX was set to force NAT-T. After having support disable it on the back end, magically my tunnel has been stable. I can't find NO-PROPOSAL-CHOSEN errors in the logs in the last twenty four hours, instead of seeing them every hour or so.

 

Ran into the idea from some older threads on this very forum.

 

I didn't want to be That Person who fixed the problem and then never came back to say how.

View solution in original post

4 REPLIES 4
charles07
Getting noticed

no-proposal-chosen is chosend is mainly due to mismatched phase 2 security association.

Can you share screenshots of both side Lifetime, IKE Version, Mode, PFS etc

Nash
Kind of a big deal

So my subnets and settings all matched. The culprit here?

 

The MX was set to force NAT-T. After having support disable it on the back end, magically my tunnel has been stable. I can't find NO-PROPOSAL-CHOSEN errors in the logs in the last twenty four hours, instead of seeing them every hour or so.

 

Ran into the idea from some older threads on this very forum.

 

I didn't want to be That Person who fixed the problem and then never came back to say how.

Hi Nash, 

 

Maybe you could help i have been having issues with a Tunnel I have between my MX84 and our provider which have an ASA at their end. We have been in contact with Cisco Meraki support to no avail and its been like this for almost a year, Cisco meraki even replaced the appliance for us. 

We have a siste to site non Meraki tunnel between our MX84 and the ASA. 

We have 2 VLans at our end that need site to site VPN VLAN 10 and VLAN30 (which is the VLAN created by Cisco Meraki for Client VPN) and we have varius subnets that we need to access on the ASA Side, lets say subnet A, B,C,D,E,F for simplicity.  

At random we loose connection lets say to subnet A from VLAN 10 but on VLAN 30 it remains working or the other way round Subnet A is available on VLAN30 but not on VLAN10. (usually the latter is the case) 

There is no explanation to when this happens or how many times it happens in a day, we could get it 5 times in a day and we could get it only once in 3 days. 

 

We have contact also Cisco support which have been debugging the ASA and they found out that when the issue occurs as the MX84 

 

Their finding was as follows

On checking the Syslog’s I’m seeing the discard packet ESP only reason for that is that peer end Meraki is sending Traffic on a different SPI then what ASA has

 

There is no SPI matching with this digit on the ASA which the far end is sending towards the ASA that is the reason it gets Discarded the moment the tunnel is clear new SA with SPI value are formed.

 

I would suggest getting this check from Meraki engineer to why the Meraki is sending the ESP packet with wrong SPI after a Rekey.

 

The only suggestion i got from Meraki was to change the appliance 
We have been using the Meraki since 2018 but I must say that after experiencing this issue I will not eb suggesting Meraki to no one and as soon as the license expires i will definatly revert back to Cisco. 

 

Any help is appreciated

AlexP
Meraki Employee
Meraki Employee

FYI - this isn't a thing on MX 15 firmware

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels