Meraki

ReyesPolanco

Hello!

Here again, I'm resolving an issue I'm having with a Meraki VPN with SonicWall. In case this has happened to anyone else and they can help me.

A site-to-site VPN was set up between Meraki and SonicWall, however, the VPN disconnected. That is, despite the Meraki dashboard showing the status, no traffic was passing through. The solution was to turn the VPN off and on again on the SonicWall side.

Do you think this is due to a Phase 1 and Phase 2 configuration issue?

ReyesPolanco

Thank you all for your great support. We solved the problem using Ikev1 and the following values in phases 1 and 2

View solution in original post

alemabrahao

Try to increase the lifetime (28800) of phase 1, it is not good practice to leave both phase 1 and phase 2 with the same lifetime.

https://www.sonicwall.com/medialibrary/docs/tech-alliance/IntegrationGuide_CiscoMeraki.pdf

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ReyesPolanco

Initially, the lifetime was set to 28800, but it was lowered to see if that would change anything, but it's still present. I'm going to set the phase 1 value to 28800. Thanks!

alemabrahao

Is DPD enabled on SonicWall?

If DPD is not enabled or not functioning properly, the SonicWall may not detect that the Meraki side is idle or unreachable.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ReyesPolanco

Yes its correct. Do you consider it important to disable it?

alemabrahao

On the contrary, it states that it is necessary to have DPD. In Meraki, it is already enabled by default.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ReyesPolanco

It is necessary to mention that this configuration was made based on a document provided by both vendors Meraki-Sonic, which is why it seems strange to me that these problems occur.

cmr

Have you tried enabling dead peer detection for idle VPN sessions?

If my answer solves your problem please click Accept as Solution so others can benefit from it.

ReyesPolanco

No, but I'll take it as a test with the client, hoping it will solve the problem.

Grizwald

What do the logs show on either side for the Disconnect reason? Is there any attempt to re-establish from the Meraki end? Are Security Associations formed on the Meraki end once the tunnel attempts to reestablish?

ReyesPolanco

The problem is that the tunnel never shows up. It's visible from above in Meraki, but when attempting to connect between segments, it fails. There are no logs or anything indicating a problem, and the workaround is to turn the VPN on and off on the Sonic side.

DarrenOC

What happens if you generate traffic over the VPN ie PING? Does the tunnel re-establish?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

ReyesPolanco

No, the problem is that for the Meraki dashboard it is always active but without passing traffic

AlexL1

Hi ReyesPolanco,

I hope your day is going well.

Please, find our detail guide - MX to SonicWall Site-to-Site VPN - https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Sonicwall_Site-to-Site_VPN_Setup

SonicWall also has their own integration guide for Cisco Meraki - https://www.sonicwall.com/medialibrary/docs/tech-alliance/IntegrationGuide_CiscoMeraki.pdf

Troubleshooting:

STEP 1 - Generate interesting traffic - from a device in MX site constantly pinging another device on the Remote Peer (SonicWall) side.

STEP 2 - Start taking PCAPs:

On the MX primary uplink Internet interface - filter for "ip.addr == <public IP address SonicWall> && (isakmp || esp)" --> Do you see Bi-directional traffic on UDP 500 and/or UDP 4500?
MX IPsec VPN interface - filter for "ip.addrr==<source IP device MX site> and ip.addrr==<dest IP SonicWall site>"

STEP 3 - What does Security & SD-WAN --> VPN Status --> Non-Meraki VPN section shows - green dot, red dot, orange dot?

STEP 4 - What does Event logs are showing on the Dashboard?

Network-wide > Monitor > Event log. Select the All Non-Meraki / Client VPN event log type as the sole Event type include option and click on the search button

STEP 5 - What does the logs on the Remote Peer - SonicWall shows? Can you take PCAPs on that side as well?

If you need any assistance, please feel free to create a case with Meraki Support Team and arrange a Live Troubleshooting session 🙂

If you found this post helpful, please give it kudos.
If my answer solved your problem, click "accept as solution" so that others can benefit from it.

ReyesPolanco

Thank you all for your great support. We solved the problem using Ikev1 and the following values in phases 1 and 2

Meraki

Community

VPN disconnections

VPN disconnections