VPN Registry Disconnected But Can Be Pinged - HA MXs with VIP

Zac123
Here to help

VPN Registry Disconnected But Can Be Pinged - HA MXs with VIP

Hey all:

 

I just fixed an issue that I didn't find on this forum so I figured I would share what I found.  I'm working on a deployment with a handful of sites using Meraki MX and MS appliances.  The sites will use AutoVPN to connect to each other, but some of the sites lost their connectivity to the VPN Registry and the VPNs connecting those sites eventually stopped working.  They were connected at some point, but it just stopped working.

 

I read on this forum that some of the VPN Registries were overloaded and that support can add some registries.  I called support and had them do that.  It partially fixed the problem.  This is a hub and spoke topology with two hubs.  One site could connect to both VPN hubs, but the other site couldn't connect to one of the hubs.  After the weekend, neither site could connect to either hub.  Both sites could ping the registries they were using, and I could see one-way traffic to the registries in a packet capture.

 

All the sites have a pair of MX appliances in warm spare/HA and have virtual IPs configured.  Out of curiosity, I de-programmed the vip on one of the sites that couldn't connect.  The spoke could then talk to the VPN registries and the VPNs came up.  I put the vip back in and then connectivity was lost.

 

With the virtual IPs configured, I tried turning off AutoVPN and turned it back on.  After that, the site was able to connect to the registries and the VPNs came up.   Initially, the dashboard didn't let me turn off AutoVPN because I had firewall rules, but I got around that by creating a disabled source-based route for all the networks on the device.

 

I thought this was a strange problem because the issue went away if I removed the virtual IP.  When the virtual IP was configured, the VPNs wouldn't work but pings sourced from the vip would reach the registries.  It's like something wasn't right in the registry, but toggling AutoVPN got it working.

 

I'll be watching the VPN status over the next few days.  Hopefully it says working.

1 REPLY 1
张起东
Here to help

nice

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels