Upgrading MX100 14.53 to 15.44 breaks non-Meraki site-to-site VPN (AWS)

JasonCardinal
Comes here often

Upgrading MX100 14.53 to 15.44 breaks non-Meraki site-to-site VPN (AWS)

We have two MX100 set up for site-to-site Hub VPN with each other and site-to-site non-Meraki VPN with AWS

 

MX100A (14.53) has no networking issues.  We setup MX100B (15.44) same as MX100A except for the WAN ip addresses and VLANs.

Both can ping each other no problem

MX100A (14.53) can ping AWS farm no problem and ping MX100B VLAN no problem

MX100B (15.44) can ping MX100A no problem but cannot ping AWS farm (like MX100A)

 

We twice upgraded MX100 A to 15.44 but quickly had to rollback to 14.53 as we could no longer access our AWS farm (Non-Meraki Client VPN)

 

Could it be that MX100B’s firmware 15.44 is the issue?  How to troubleshoot on the Meraki side?  All security groups seem tight on the AWS side.

 

 

4 REPLIES 4
ww
Kind of a big deal
Kind of a big deal
JasonCardinal
Comes here often

Thanks for the link.  I followed it to a t and it definitely looks like our problem.  

 

The thing is, I can ping from the MX100 on 14.53 to AWS private subnet no problem (on IKEv1) but when I change to IKEv2 in Meraki site-to-site non-meraki VPN, it dies when pinging from MX100 on 15.44

 

Both IKEv1 and IKEv2 are checked in AWS VPN tunnel options and DES is disabled.  Can't get my head around this.

PhilipDAth
Kind of a big deal

I assume you configured AWS to have two separate VPNs, one for each site?

Thanks for the comment.  I did not but seriously considering it.  My rationale is that I have a very successful site-to-site VPN between both MX100 (in hub mode) so I rejected having two VPNs, one for each MX100 site.

 

Let me know if you think this could be a problem.  Thanks again!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels