Meraki

JasonCardinal · ‎Jan 11 2022

We have two MX100 set up for site-to-site Hub VPN with each other and site-to-site non-Meraki VPN with AWS

MX100A (14.53) has no networking issues. We setup MX100B (15.44) same as MX100A except for the WAN ip addresses and VLANs.

Both can ping each other no problem

MX100A (14.53) can ping AWS farm no problem and ping MX100B VLAN no problem

MX100B (15.44) can ping MX100A no problem but cannot ping AWS farm (like MX100A)

We twice upgraded MX100 A to 15.44 but quickly had to rollback to 14.53 as we could no longer access our AWS farm (Non-Meraki Client VPN)

Could it be that MX100B’s firmware 15.44 is the issue? How to troubleshoot on the Meraki side? All security groups seem tight on the AWS side.

ww · ‎Jan 11 2022

Did you try this?

https://community.meraki.com/t5/Security-SD-WAN/15-44-site-to-site-VPN-not-working/m-p/134576#M33709

JasonCardinal · ‎Jan 12 2022

Thanks for the link. I followed it to a t and it definitely looks like our problem.

The thing is, I can ping from the MX100 on 14.53 to AWS private subnet no problem (on IKEv1) but when I change to IKEv2 in Meraki site-to-site non-meraki VPN, it dies when pinging from MX100 on 15.44

Both IKEv1 and IKEv2 are checked in AWS VPN tunnel options and DES is disabled. Can't get my head around this.

PhilipDAth · ‎Jan 11 2022

I assume you configured AWS to have two separate VPNs, one for each site?

JasonCardinal · ‎Jan 12 2022

Thanks for the comment. I did not but seriously considering it. My rationale is that I have a very successful site-to-site VPN between both MX100 (in hub mode) so I rejected having two VPNs, one for each MX100 site.

Let me know if you think this could be a problem. Thanks again!

Meraki

Community

Upgrading MX100 14.53 to 15.44 breaks non-Meraki site-to-site VPN (AWS)

Upgrading MX100 14.53 to 15.44 breaks non-Meraki site-to-site VPN (AWS)