VPN Tunnel Issue between Meraki and Fortigate 1500 Firewall

Nexus
Comes here often

VPN Tunnel Issue between Meraki and Fortigate 1500 Firewall

Hello Experts,

 

VPN Tunnel between Cisco Meraki model MX65 current Firmware MX 17.10.2 with Fortigate Firewall 1500 current Firmware v6.2.2 is down! It came up for sometime but with no communication in between sites. It is causing frustration and client is really upset as this issue is going on for over a month without resolution! We are not able to capture any packets from the Cisco Meraki when we run packet capture for the security appliance. Whereas we have another client with the same scenario, same configuration and we are able to see the packet capture.

 

The phase 1 and phase 2 configuration are identical between Meraki and Fortigate firewall 1500.

Static Router is configured.

 

I request all of you to please help and suggest any solution to get this VPN Tunnel active with communication!

4 Replies 4
Brash
Kind of a big deal
Kind of a big deal

To clarify, is the problem that the tunnel goes down when there is no traffic going across it, or that the tunnel never comes up at all?

Nexus
Comes here often

last week tunnel it's showing active mode, but last 2 days automatically tunnel went to down status it's same configuration...

alemabrahao
Kind of a big deal
Kind of a big deal

Did you notice any errors in the logs?

 

Have you tried these settings?

 

alemabrahao_0-1680701110027.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GIdenJoe
Kind of a big deal
Kind of a big deal

If you capture your WAN interface and filter on the host IP of the other side or filter on port 500 or port 4500 you have to see the security association frames.  It might be possible that you'll have to start a ping from an inside interface on your MX to an IP on the LAN on the other side (even if it does not exist) to trigger an attempt to bring up the tunnel.
Also watch on your fortigate if it is set to responder only that you have to initiate on the MX in that case.

 

If it is IKEv1 you should see 6 main mode messages and 3 quick mode messages.  If you use IKEv2 you only have 4 messages.

You have to filter on the same initiator SPI to get the packets only pertaining to a certain session or setup your wireshark with an IPsec profile containing useful columns to quickly see where in the exchange it is failing.

 

You will see messages with INFORMATIONAL message coming from the device that does not like what the other side is sending.

 

Most common are:
- One or both of the devices are behind NAT and you are getting the IKE-ID wrong. (failure will happen right after the packets are encrypted)

- You still have wrong parameters at any end and there are no matching phase 1 policies (you should see it fail after the first message)

- You use IKEv2 and you have multiple local or remote networks and the device on the other side can't put everything in one SA.

Get notified when there are additional replies to this discussion.