VPN WITH NON MERAKI GO DOWN (CHECKPOINT)

RTBELLO
Here to help

VPN WITH NON MERAKI GO DOWN (CHECKPOINT)

Hello

 

My VPN with a NON Meraki equipment go DOWN, the other equipment is a Checkpoint.

 

It´s happening repeatedly daily, we didn’t take actions only sets after about an hour approximately.

 

The team of the checkpoint said: “We didn´t move anything”

 

We have another VPN with NON MERAKI and doesn´t present this problem ….

 

These are the Log´s of my MX67 Meraki:

 

X.X.X.X My Public IP

Y.Y.Y.Y IP Public of the checkpoint

 

 

Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=114078164(0x6ccb1d4)
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: initiate new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. ad482ac8e1414444:96f5b55cbd68dfdb
Non-Meraki / Client VPN negotiation msg: request for establishing IPsec-SA was queued due to no phase1 found.
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=206208868(0xc4a7f64)
Non-Meraki / Client VPN negotiation msg: Y.Y.Y.Y give up to get IPsec-SA due to time up to wait.
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: initiate new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 49cf18a936a8c3ac:e9f2bda1bf813e3c
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=149535210(0x8e9b9ea)
Non-Meraki / Client VPN negotiation msg: Y.Y.Y.Y give up to get IPsec-SA due to time up to wait.

6 REPLIES 6
dlowery
Getting noticed

If you post a screenshot of your IPsec settings that might help us figure out whats going on. (Security & SD-WAN> Site-Site VPN> Organization Wide Settings) Usually if I have site-site issues with a non meraki peer, its a subnet issue or IPsec settings. This article might help you troubleshoot it too.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Pee...


Thank´s for the answer, I checked the subnets in both site´s and are correct.

 

I read the TSHOOT of the documentation but I don´t know what is the problem.

 

This is my configuration.

 

 
 

Capture.PNGCapture2.PNG

 

 

 

PhilipDAth
Kind of a big deal

You have a phase 2 lifetime of 3600s (1 hour) and you say you are having an issue with it going down every hour?  That is a bit suspicious.

 

That would suggest the phase 2 re-renegotiation is failing.  Is either end behind NAT?

Hello, thanks.

 

Both sites are behind a NAT.

Coesione_srl
Here to help

Hi @RTBELLO 

I have had the same problem with Cisco ASA.

Try to exlicitly disable the NAT-T in Checkpoint side.

Let me know if it works.

Regards,

^This right here, if you haven't tried disabling NAT-T, do it. We have to for almost all of our non meraki peers.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels