Hello,
anyone managed to get a successful pcap from MX VPN?
I have an MX that I'm using to vpn into Azure and I cannot seem to get a pcap from it no matter what, i'm trying to troubleshoot EAP-TLS wifi and cant get a pcap for the traffic flows over the VPN (non-Meraki VPN peer).
I have tried to capture on:
Site-to-Site VPN / Site-to-Site VPN over Internet 1 & Site-to-Site VPN over Internet 2
My VPN is connected via Internet 1 but tried them all just to be sure, all of them show no packets (either pcap for wireshark or display on the dashboard).
Its frustrating as it looks like we are dropping traffic somewhere and I cannot get a working pcap for the VPN traffic.
Thanks
G
Solved! Go to solution.
from what i read you cant capture inside non meraki vpn
Site-to-Site VPN - Captures AutoVPN traffic (MX/Z to MX/Z only). This does not apply to Non-Meraki VPN peers.
When capturing on Internet you don't even see the ESP , ISAKMP packets ? Are you sure you are not applying a pre-capture filter ?
Hello,
thanks for the reply, i can confirm we have no filter, a pcap on any of the available site-to-site VPN options results in an empty pcap. i can see traffic on the WiFi AP / LAN / and internet but i really wanted to see the traffic in the tunnel.
Thanks
G
from what i read you cant capture inside non meraki vpn
Site-to-Site VPN - Captures AutoVPN traffic (MX/Z to MX/Z only). This does not apply to Non-Meraki VPN peers.
Hi ww,
Thanks for the reply, if we cannot capture on the tunnel interfaces its back to an ASA or Juniper for testing.
In a bit of a stale mate as Microsoft are saying all is good in Azure, Meraki are saying all is good on the Meraki but we cannot get eap-tls WiFi auth working. the client cert never reaches the NPS boxes but we cannot prove where it vanishes.
Thanks for the info
G
Are you able to see any "Don't Fragment" (DF) Bits on one of those sites?
Hi,
When we take a pcap on the WiFi AP, we see no DF marked packets.
I'm not sure if it applies in your scenario, but Microsoft broke device certificate authentication between NPS and Domain controllers with the patches released Tuesday.
Specifically, patched domain controllers are failing to map the certificates to the machine accounts.
Hi Crocker,
I didnt know that had happened, if machine cert mapping is broken then the handshake should fail as the cert for the RADIUS server wouldnt be trusted.
The logs I do see suggest all is well until the client tries to return its cert, we see that leave the client machine, we also see it leave the WiFi AP and the switch but then we cannot see it traverse the VPN.
We have had Microsoft check and they insist it never reaches their side, we had Meraki check and they say the cert is going through the VPN tunnel so its proving awkward to verify.
Thanks for the info.