VPN Subnet is frequently disconnecting from vpn tunnel

Ravi-MX84
Comes here often

VPN Subnet is frequently disconnecting from vpn tunnel

We have VPN established between MERAKI and ASA. Interesting Traffic is assigned .

 

But at some point of time some of  LAN subnets in Interesting traffic from meraki side are not able to reach ASA. The tunnel is working fine rest of the subnets are able to reach the remote ASA peer through tunnel.

 

No issues observed from ASA end i.e All LAN subnets from ASA are able to reach meraki lan IP's.

 

I have advertised all my lan subnets with 255.255.0.0. subnet on both sides of peers. Can u please suggest me a solution for this? Thanks in advance.

4 REPLIES 4
PhilipDAth
Kind of a big deal

My guess is their is a mis-match between the encryption domains between the two sides.  Which subnets work may well depend on which end brings up the VPN.

 

Make sure the encryption domain on both sides is 100% identical.

hi PhilipDAth,

 

Mismatch in  encryption domain means in IPSEC phase or ISAKMP phase?

 

However both encryption domains are identical in two phases. I can see VPN status in ASA packets encryption and decryption and error rate.

 

from ASA LAN I am able to reach the meraki LAN ip through VPN tunnel. Vice versa is not possible for specific subnets in meraki LAN sometimes. when  I reset tunnel everything is working fine.

 

After some time again from meraki side only problem repeats.

i'd contact support. this may be tricky to debug.

Josper
Here to help

Maybe the keepalives are being disabled.

Drop tunnel and try some debugging

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-d...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels