cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN Subnet is frequently disconnecting from vpn tunnel

Comes here often

VPN Subnet is frequently disconnecting from vpn tunnel

We have VPN established between MERAKI and ASA. Interesting Traffic is assigned .

 

But at some point of time some of  LAN subnets in Interesting traffic from meraki side are not able to reach ASA. The tunnel is working fine rest of the subnets are able to reach the remote ASA peer through tunnel.

 

No issues observed from ASA end i.e All LAN subnets from ASA are able to reach meraki lan IP's.

 

I have advertised all my lan subnets with 255.255.0.0. subnet on both sides of peers. Can u please suggest me a solution for this? Thanks in advance.

4 REPLIES 4
Kind of a big deal

Re: VPN Subnet is frequently disconnecting from vpn tunnel

My guess is their is a mis-match between the encryption domains between the two sides.  Which subnets work may well depend on which end brings up the VPN.

 

Make sure the encryption domain on both sides is 100% identical.

Comes here often

Re: VPN Subnet is frequently disconnecting from vpn tunnel

hi PhilipDAth,

 

Mismatch in  encryption domain means in IPSEC phase or ISAKMP phase?

 

However both encryption domains are identical in two phases. I can see VPN status in ASA packets encryption and decryption and error rate.

 

from ASA LAN I am able to reach the meraki LAN ip through VPN tunnel. Vice versa is not possible for specific subnets in meraki LAN sometimes. when  I reset tunnel everything is working fine.

 

After some time again from meraki side only problem repeats.

Highlighted
Getting noticed

Re: VPN Subnet is frequently disconnecting from vpn tunnel

i'd contact support. this may be tricky to debug.

Here to help

Re: VPN Subnet is frequently disconnecting from vpn tunnel

Maybe the keepalives are being disabled.

Drop tunnel and try some debugging

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-d...

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.