cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to establish a Site to Site VPN

SOLVED
Here to help

Unable to establish a Site to Site VPN

Hi,

 

I'm fairly new to Meraki but I've had tons of experience in networking and b2b VPNs and I just can't seem to figure out in MX84 if your VPN is up or down.

 

Currently I see this

 

vpn status.PNG

 

I was told that this green status is just an indication that the public ips can ping each other. I talked to the peer site and they said that they're seeing the phase 1 and phase 2 up but tunnel still down (?), which seems to be the case since I can't ping their device from my subnet.

 

Is there a way to filter out the logs that are only related to my vpn? I'm getting some phase 2 errors but I'm not sure if its related to my vpn 

 

vpn logs.PNG

 

I'm really at my wits ends in here. I would really appreciate the help.

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Getting noticed

Re: Unable to establish a Site to Site VPN

Hi @ShadowoftheDark,

This link may help regarding connecting non-meraki VPNs with Meraki's Auto-VPN.

https://www.willette.works/merging-meraki-vpns/


AutoVPN + non-Meraki VPN Integration Considerations

Only subnets local to the MX can be advertised to the remote Non-Meraki VPN peer. The subnets specifically selected as Use VPN, yes on the Security appliance > Site-to-site VPN configuration page will be included as the local interesting traffic in the IPSec exchange.
Non-Meraki VPN routes are not advertised to OSPF or BGP peers.
Non-Meraki VPN remote subnets cannot overlap with existing local, static, or AutoVPN routes. Doing so generates a Dashboard validation error when trying to save the configuration.
Non-Meraki VPN routes are not advertised to AutoVPN peers.
CMNO, CCNA R+S
10 REPLIES 10
Head in the Cloud

Re: Unable to establish a Site to Site VPN

Hi @ShadowoftheDark 

I understand we are discussing about "Non-Meraki VPN" Confguration.

Constructing tunnels with Meraki Auto VPN (between Meraki Devices) or Non-Meraki VPN (between Meraki and Non Meraki) are kind of easy.

I believe the logs displayed on the Dashboard shall be relevant to your VPN only.

I could see "failed to get sainfo" event

 

Did you happen refer to following url (Lists down most of error events)

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Pee...

 

Event Log: "failed to pre-process ph2 packet/failed to get sainfo"
Error Description: The tunnel can’t be established and the following error is recorded in the event logs in the Dashboard “msg: failed to pre-process ph2 packet (side: 1, status: 1), msg: failed to get sainfo.”

Error Solution: This can result from mismatched subnets in the IPsec tunnel definitions, typically a mismatched subnet mask. Check to be sure that the local and remote subnets match up on each side of the VPN tunnel.

Cheers
Ajit
ajitsnw@gmail.com
https://www.linkedin.com/in/ajitkumarverma/
Here to help

Re: Unable to establish a Site to Site VPN

Yeah, I've checked that. We even sent out screenshots of both of our phase2's to confirm we have matching subnets and they matched.
Kind of a big deal

Re: Unable to establish a Site to Site VPN

What kind of device is the remote end?

 

Is either end behind another device doing NAT?

Here to help

Re: Unable to establish a Site to Site VPN

I'll ask but definitely no NAT. we're both public ips peering each other

Getting noticed

Re: Unable to establish a Site to Site VPN

Hi @ShadowoftheDark,

This link may help regarding connecting non-meraki VPNs with Meraki's Auto-VPN.

https://www.willette.works/merging-meraki-vpns/


AutoVPN + non-Meraki VPN Integration Considerations

Only subnets local to the MX can be advertised to the remote Non-Meraki VPN peer. The subnets specifically selected as Use VPN, yes on the Security appliance > Site-to-site VPN configuration page will be included as the local interesting traffic in the IPSec exchange.
Non-Meraki VPN routes are not advertised to OSPF or BGP peers.
Non-Meraki VPN remote subnets cannot overlap with existing local, static, or AutoVPN routes. Doing so generates a Dashboard validation error when trying to save the configuration.
Non-Meraki VPN routes are not advertised to AutoVPN peers.
CMNO, CCNA R+S
Here to help

Re: Unable to establish a Site to Site VPN

Hi @KRobert thanks I'll try that out.

 

@PhilipDAthI'm peering with Fortinet Fortigate 200D

Kind of a big deal

Re: Unable to establish a Site to Site VPN

Doe your phase 2 have more than 1 subnet in it?  If so, then others have previsouly said you need to (on the Fortinet) "Needed to build an extra phase 2 tunnel instead of putting 2 subnets in one phase 2 configuration."

Here to help

Re: Unable to establish a Site to Site VPN

Thanks I'll ask them to do that.

 

 

Here to help

Re: Unable to establish a Site to Site VPN

Finally got it to work. Thanks to everyone that replied. I finally understood how Meraki does its vpn I didn't have to include my own subnet in the list of interesting traffic only the remote and just have to enable it in my own list of subnets and filter it in the rules below.

Thanks again
Highlighted
Getting noticed

Re: Unable to establish a Site to Site VPN

Glad you got it to work!
CMNO, CCNA R+S
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.