VPN Packet Capture not working?

SOLVED
GStarkie
Conversationalist

VPN Packet Capture not working?

Hello,

 

anyone managed to get a successful pcap from MX VPN?

I have an MX that I'm using to vpn into Azure and I cannot seem to get a pcap from it no matter what, i'm trying to troubleshoot EAP-TLS wifi and cant get a pcap for the traffic flows over the VPN (non-Meraki VPN peer).

 

I have tried to capture on:
Site-to-Site VPN / Site-to-Site VPN over Internet 1 & Site-to-Site VPN over Internet 2

My VPN is connected via Internet 1 but tried them all just to be sure, all of them show no packets (either pcap for wireshark or display on the dashboard).

 

Its frustrating as it looks like we are dropping traffic somewhere and I cannot get a working pcap for the VPN traffic.

 

Thanks

G

 

1 ACCEPTED SOLUTION
ww
Kind of a big deal
Kind of a big deal

from what i read you cant capture inside non meraki vpn

 

Site-to-Site VPN - Captures AutoVPN traffic (MX/Z to MX/Z only).  This does not apply to Non-Meraki VPN peers.

View solution in original post

8 REPLIES 8
RaphaelL
Head in the Cloud

When capturing on Internet you don't even see the ESP , ISAKMP packets ? Are you sure you are not applying a pre-capture filter ?

GStarkie
Conversationalist

Hello,

 

thanks for the reply, i can confirm we have no filter, a pcap on any of the available site-to-site VPN options results in an empty pcap. i can see traffic on the WiFi AP / LAN / and internet but i really wanted to see the traffic in the tunnel.

 

Thanks

G

ww
Kind of a big deal
Kind of a big deal

from what i read you cant capture inside non meraki vpn

 

Site-to-Site VPN - Captures AutoVPN traffic (MX/Z to MX/Z only).  This does not apply to Non-Meraki VPN peers.

GStarkie
Conversationalist

Hi ww,

 

Thanks for the reply, if we cannot capture on the tunnel interfaces its back to an ASA or Juniper for testing.

 

In a bit of a stale mate as Microsoft are saying all is good in Azure, Meraki are saying all is good on the Meraki but we cannot get eap-tls WiFi auth working. the client cert never reaches the NPS boxes but we cannot prove where it vanishes.

 

Thanks for the info

G

 

CptnCrnch
Kind of a big deal

Are you able to see any "Don't Fragment" (DF) Bits on one of those sites?

Hi,

 

When we take a pcap on the WiFi AP, we see no DF marked packets. 

I'm not sure if it applies in your scenario, but Microsoft broke device certificate authentication between NPS and Domain controllers with the patches released Tuesday.

 

Specifically, patched domain controllers are failing to map the certificates to the machine accounts.

GStarkie
Conversationalist

Hi Crocker,

 

I didnt know that had happened, if machine cert mapping is broken then the handshake should fail as the cert for the RADIUS server wouldnt be trusted.

 

The logs I do see suggest all is well until the client tries to return its cert, we see that leave the client machine, we also see it leave the WiFi AP and the switch but then we cannot see it traverse the VPN.

We have had Microsoft check and they insist it never reaches their side, we had Meraki check and they say the cert is going through the VPN tunnel so its proving awkward to verify.

 

Thanks for the info.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels