Hello
My VPN with a NON Meraki equipment go DOWN, the other equipment is a Checkpoint.
It´s happening repeatedly daily, we didn’t take actions only sets after about an hour approximately.
The team of the checkpoint said: “We didn´t move anything”
We have another VPN with NON MERAKI and doesn´t present this problem ….
These are the Log´s of my MX67 Meraki:
X.X.X.X My Public IP
Y.Y.Y.Y IP Public of the checkpoint
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=114078164(0x6ccb1d4)
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: initiate new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. ad482ac8e1414444:96f5b55cbd68dfdb
Non-Meraki / Client VPN negotiation msg: request for establishing IPsec-SA was queued due to no phase1 found.
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=206208868(0xc4a7f64)
Non-Meraki / Client VPN negotiation msg: Y.Y.Y.Y give up to get IPsec-SA due to time up to wait.
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: initiate new phase 2 negotiation: X.X.X.X[500]<=>Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 49cf18a936a8c3ac:e9f2bda1bf813e3c
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->Y.Y.Y.Y[500]
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel Y.Y.Y.Y[500]->X.X.X.X[500] spi=149535210(0x8e9b9ea)
Non-Meraki / Client VPN negotiation msg: Y.Y.Y.Y give up to get IPsec-SA due to time up to wait.
If you post a screenshot of your IPsec settings that might help us figure out whats going on. (Security & SD-WAN> Site-Site VPN> Organization Wide Settings) Usually if I have site-site issues with a non meraki peer, its a subnet issue or IPsec settings. This article might help you troubleshoot it too.
Thank´s for the answer, I checked the subnets in both site´s and are correct.
I read the TSHOOT of the documentation but I don´t know what is the problem.
This is my configuration.
You have a phase 2 lifetime of 3600s (1 hour) and you say you are having an issue with it going down every hour? That is a bit suspicious.
That would suggest the phase 2 re-renegotiation is failing. Is either end behind NAT?
Hello, thanks.
Both sites are behind a NAT.
Hi @RTBELLO
I have had the same problem with Cisco ASA.
Try to exlicitly disable the NAT-T in Checkpoint side.
Let me know if it works.
Regards,
^This right here, if you haven't tried disabling NAT-T, do it. We have to for almost all of our non meraki peers.