cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

VPN stops passing traffic between Meraki Security Appliances and Cisco ASAv devices

Here to help

Re: VPN stops passing traffic between Meraki Security Appliances and Watchguard M300

Meraki uses "lifetime-kb-unlimited" and there is no way to change this. We had an issue where we were doing MX VPN's to Cisco ASA and this is what was recommended bu Meraki support. I believe this is also why Azure tunnels won't stay connected. You need an ASA running 9.1(2) or higher I believe to use this command.

 

On Cisco ASA you have to specify this in crypto-map:

 

crypto map <map-name> <seq-num> set security-association lifetime kilobytes unlimited

 

T-800

Getting noticed

Re: VPN stops passing traffic between Meraki Security Appliances and Watchguard M300

Hi T-800,

This issue is NOT related to the issue with ASA and data-usage lifetime. This is a separate issue with VPNs ceasing to pass traffic on multiple 3rd-party firewall brands which have no data-limit expiration.
Here to help

Re: VPN stops passing traffic between Meraki Security Appliances and Watchguard M300

Upate I ran all day today, and Meraki Support did not turn off Nat-T it is still one, no drops then had a bip at 5pm and now down from 6pm-9pm no explanatio

 

Building a reputation

Re: VPN stops passing traffic between Meraki Security Appliances and Watchguard M300

maybe it is related to the anti-replay window size as per above comments, if that's the fix what it would be shocking to me is the fact that I have had my ticket open for months and no engineer has been able to provide any information, and that the 'fix' actually comes so late. In any case, the damage is made. 

Here to help

Re: VPN stops passing traffic between Meraki Security Appliances and Watchguard M300

UPdate, we have for sure verified and removed NAT-T on both sides.

 

Thanks,
Scott

 

Building a reputation

Re: VPN stops passing traffic between Meraki Security Appliances and Watchguard M300

from the logs,  I can see this when failing from the ASA:

 

where x.x.x.x is the Meraki remote public IP.

 

 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x00007ffe60d39e40, mess id 0xb107883c)!

 [IKEv1]Group = x.x.x.x, IP = x.x.x.x., Removing peer from correlator table failed, no match!

 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Session is being torn down. Reason: Phase 2 Mismatch

 

Also, from the debugging, it looks like there's a crypto ACL mismatch, but the ACL that shows the log is actually properly configured in both sides, mirrored. Again, when clearing the tunnel everything starts working fine again. 

 

Cisco pointing to Meraki, but no answer from them. 

 

 

Here to help

Re: VPN stops passing traffic between Meraki Security Appliances and Watchguard M300

So far we have turned off Nat T on both sides been up 7 days no events 

Building a reputation

Re: VPN stops passing traffic between Meraki Security Appliances and Watchguard M300

are you NATting in the firewall? I have everything behind NAT, so I wouldn't understand the point of disabling NAT-T as I need to encapsulate in UDP to work with PAT 😕

Here to help

Re: VPN stops passing traffic between Meraki Security Appliances and Watchguard M300

Yes, we are natted completely behind the firewall.  My understanding the Nat T only effects this site to site Vpn which public side is all real ips.  It's not a global setting so someone trying to get on a Vpn inside my network can.   

 

So far up since last Wednesday no events.  I just added back or watch guard side added back in secondary end point for isp2 and they had to turn on dead peer detection so now click is reset 

New here

Re: VPN stops passing traffic between Meraki Security Appliances and Cisco ASAv devices

I just wanted to chime in here with a "me too"

 

Merak end: MX84, version 14.40

Cisco end: ASA 5585, version 9.8.4(10)

 

For two weeks i've been having to re-type a PSK on both Meraki and Cisco ASA side to get the tunnel to come back up.  My settings were:

 

IKE Policy: AES 256, SHA1, 86400 lifetime

IPSEC Proposal: AES 256, SHA1, 86400 lifetime

 

Problem:  Tunnel drops right at 18 hours.

 

I had Meraki turn off NAT-T -- this did not fix the issue.

 

I then made the following changes:

 

IKE: 3DES, SHA1, lifetime 3600

IPSEC: 3DES, SHA1, lifetime 3600

NAT-T turned off still

 

Tunnel has been up for 20+ hours with no drop.  I'm assuming its the lifetime values and not the IKE/IPSEC proposals.  At any rate after struggling through this for weeks i'm happy it seems to be working better now.

 

Skip

 

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.