Unable to establish a Site to Site VPN

Solved
ShadowoftheDark
Getting noticed

Unable to establish a Site to Site VPN

Hi,

 

I'm fairly new to Meraki but I've had tons of experience in networking and b2b VPNs and I just can't seem to figure out in MX84 if your VPN is up or down.

 

Currently I see this

 

vpn status.PNG

 

I was told that this green status is just an indication that the public ips can ping each other. I talked to the peer site and they said that they're seeing the phase 1 and phase 2 up but tunnel still down (?), which seems to be the case since I can't ping their device from my subnet.

 

Is there a way to filter out the logs that are only related to my vpn? I'm getting some phase 2 errors but I'm not sure if its related to my vpn 

 

vpn logs.PNG

 

I'm really at my wits ends in here. I would really appreciate the help.

 

Thanks

1 Accepted Solution
KRobert
Head in the Cloud

Hi @ShadowoftheDark,

This link may help regarding connecting non-meraki VPNs with Meraki's Auto-VPN.

https://www.willette.works/merging-meraki-vpns/


AutoVPN + non-Meraki VPN Integration Considerations

Only subnets local to the MX can be advertised to the remote Non-Meraki VPN peer. The subnets specifically selected as Use VPN, yes on the Security appliance > Site-to-site VPN configuration page will be included as the local interesting traffic in the IPSec exchange.
Non-Meraki VPN routes are not advertised to OSPF or BGP peers.
Non-Meraki VPN remote subnets cannot overlap with existing local, static, or AutoVPN routes. Doing so generates a Dashboard validation error when trying to save the configuration.
Non-Meraki VPN routes are not advertised to AutoVPN peers.
CMNO, CCNA R+S

View solution in original post

10 Replies 10
AjitKumar
Head in the Cloud

Hi @ShadowoftheDark 

I understand we are discussing about "Non-Meraki VPN" Confguration.

Constructing tunnels with Meraki Auto VPN (between Meraki Devices) or Non-Meraki VPN (between Meraki and Non Meraki) are kind of easy.

I believe the logs displayed on the Dashboard shall be relevant to your VPN only.

I could see "failed to get sainfo" event

 

Did you happen refer to following url (Lists down most of error events)

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Pee...

 

Event Log: "failed to pre-process ph2 packet/failed to get sainfo"
Error Description: The tunnel can’t be established and the following error is recorded in the event logs in the Dashboard “msg: failed to pre-process ph2 packet (side: 1, status: 1), msg: failed to get sainfo.”

Error Solution: This can result from mismatched subnets in the IPsec tunnel definitions, typically a mismatched subnet mask. Check to be sure that the local and remote subnets match up on each side of the VPN tunnel.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
ShadowoftheDark
Getting noticed

Yeah, I've checked that. We even sent out screenshots of both of our phase2's to confirm we have matching subnets and they matched.
PhilipDAth
Kind of a big deal
Kind of a big deal

What kind of device is the remote end?

 

Is either end behind another device doing NAT?

ShadowoftheDark
Getting noticed

I'll ask but definitely no NAT. we're both public ips peering each other

KRobert
Head in the Cloud

Hi @ShadowoftheDark,

This link may help regarding connecting non-meraki VPNs with Meraki's Auto-VPN.

https://www.willette.works/merging-meraki-vpns/


AutoVPN + non-Meraki VPN Integration Considerations

Only subnets local to the MX can be advertised to the remote Non-Meraki VPN peer. The subnets specifically selected as Use VPN, yes on the Security appliance > Site-to-site VPN configuration page will be included as the local interesting traffic in the IPSec exchange.
Non-Meraki VPN routes are not advertised to OSPF or BGP peers.
Non-Meraki VPN remote subnets cannot overlap with existing local, static, or AutoVPN routes. Doing so generates a Dashboard validation error when trying to save the configuration.
Non-Meraki VPN routes are not advertised to AutoVPN peers.
CMNO, CCNA R+S
ShadowoftheDark
Getting noticed

Hi @KRobert thanks I'll try that out.

 

@PhilipDAthI'm peering with Fortinet Fortigate 200D

PhilipDAth
Kind of a big deal
Kind of a big deal

Doe your phase 2 have more than 1 subnet in it?  If so, then others have previsouly said you need to (on the Fortinet) "Needed to build an extra phase 2 tunnel instead of putting 2 subnets in one phase 2 configuration."

ShadowoftheDark
Getting noticed

Thanks I'll ask them to do that.

 

 

ShadowoftheDark
Getting noticed

Finally got it to work. Thanks to everyone that replied. I finally understood how Meraki does its vpn I didn't have to include my own subnet in the list of interesting traffic only the remote and just have to enable it in my own list of subnets and filter it in the rules below.

Thanks again
KRobert
Head in the Cloud

Glad you got it to work!
CMNO, CCNA R+S
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels