VPN Registry: Partially connected - What does this mean ?

SOLVED
thomasthomsen
Head in the Cloud

VPN Registry: Partially connected - What does this mean ?

Hi All

 

On the VPN status page I have a couple of sites that "once in a while" displays the yellow (warning) VPN Registry: Partially connected. (like in the picture).Partially.PNG

This is a Hub and Spoke setup (not full mesh), and even though we have multiple Hubs, one spoke is only configured for a single Hub (and full tunnel to that Hub), no failover.

 

From the text of the warning, i would presume that everythings works fine, but .... ( Just a quick sidenote, the registration is normally Green and good, but sometimes it turns yellow with that message).

 

Our question is, what does this mean ?

I have been searching the Meraki documentation, and on this forum, but I do not seem to be able to find a specific correct answer. Any suggestions ?

 

/Thomas

 

1 ACCEPTED SOLUTION
Borisorism
Meraki Employee
Meraki Employee

AutoVPN uses a Registry hosted in the cloud in order to provision VPNs. A Registry holds the record of all the MXs in an organisation and other information needed in order to automatically push the required configurations when new VPN tunnels are created.

 

VPN Registries have HA configuration and usually the security appliance is able to connect to more than one instance of the VPN registry at the time. My understanding is that the warning may indicate that the Security Appliance is having trouble connecting to one of the registries.

 

This will not affect your already provisioned VPNs, nor it will normally affect the configuration of new VPN tunnels.

 

If you do experience the issue with new VPN tunnels provisioning contact support and they should be able to help.

View solution in original post

11 REPLIES 11
Borisorism
Meraki Employee
Meraki Employee

AutoVPN uses a Registry hosted in the cloud in order to provision VPNs. A Registry holds the record of all the MXs in an organisation and other information needed in order to automatically push the required configurations when new VPN tunnels are created.

 

VPN Registries have HA configuration and usually the security appliance is able to connect to more than one instance of the VPN registry at the time. My understanding is that the warning may indicate that the Security Appliance is having trouble connecting to one of the registries.

 

This will not affect your already provisioned VPNs, nor it will normally affect the configuration of new VPN tunnels.

 

If you do experience the issue with new VPN tunnels provisioning contact support and they should be able to help.

Thank you for the answer - it makes sense.

 

But this opens another question for me 🙂

 

If the Registry status turns red, does this just mean that the MX or Z3 cannot reach the registry, but the already established VPN connection continuous to work fine ? (unless something changes in the network in that time where the registry status is red).

 

/Thomas

You're welcome.

 

Yes - already established VPNs should function just fine even if the Registry status goes red.

The only time Registry is really involved is when you provision a new VPN tunnel.

Support can change the registry your ORG uses to a new one they have, but they have to be contacted for that. I did it because I was seeing the same issue, presumably because it was 'overloaded' or something. Once they moved my ORG to use the new one, no more issues.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
NikM
Conversationalist

My Org had exactly the same issue. Contacted support and they arranged to move to their new vpn registry servers. Since then we have had no more of these alerts in our dashboard event logs.

I have recently deployed 5 Meraki devices and setup site-site VPNs which are all working fine. Since day 1 I have been seeing this "VPN Registry: Partially connected" message and red lines in the VPN Status page. I contacted support who first suggested port blocking by upstream firewalls but we have no upstream firewalls. I pointed support to this thread and they then suggested we could move to new VPN Registry servers but would incur 20mins downtime.

 

I think I would rather see the red lines than have to schedule the downtime. Assuming this is a cloud issue it seems strange Meraki have not managed to address this internally?

I would disagree with this statement. Just today we had the issue where the VPN connection went read and ALL traffic traversing that path stopped. We saw this just last week in another network and had the same symptoms. To resolve it quickly, in each case we had to reboot the MX67.

I'd like to know if there's a way to disconnect/reconnect the VPN tunnel from the MX450 without having to interrupt client activities by rebooting.

JohnPaul
Getting noticed

As of 1/29/2020 we have this issue. For over a year we have been told by Meraki that there is nothing to worry about. However the problem of partial and full registry disconnects is more pervasive in our organization than it ever was.

 

We recently did an IP address change and because of all the VPN registry disconnects and partial connects, the IPsec tunnels took WAY longer to renegotiate . This is unacceptable.

 

We will be looking into having our MXs pointing to the newer Meraki VPN registries as a fix.

 

 

Update:

 

Last Friday we had Meraki change the VPN registries and now all our VPN registry connections have been solid with no disconnect issues!

 

 

That is good to hear! I will surely relay this info to my engineer and see what they want to do.

Thanks JohnPaul!

JosRus
Meraki Employee
Meraki Employee

I would like to add some additional information to this:

 

When support initiates a change to your registry contact points, a migration period will occur, within which changes to your registry contact points cannot be performed. Any additional changes to these will require an additional waiting period while the migration finishes.

 

An additional port of 9351 has been added, which you will see is also listed under Help>Firewall Info>VPN registry. Upon issuing a registry IP change from our side, you will see the addresses on this page update automatically, so be sure to check this page after any registry IP change is made from the Meraki Support side, and update your upstream firewall/device rules with the new information accordingly.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels