Meraki uses "lifetime-kb-unlimited" and there is no way to change this. We had an issue where we were doing MX VPN's to Cisco ASA and this is what was recommended bu Meraki support. I believe this is also why Azure tunnels won't stay connected. You need an ASA running 9.1(2) or higher I believe to use this command.
On Cisco ASA you have to specify this in crypto-map:
crypto map <map-name> <seq-num> set security-association lifetime kilobytes unlimited
Upate I ran all day today, and Meraki Support did not turn off Nat-T it is still one, no drops then had a bip at 5pm and now down from 6pm-9pm no explanatio
maybe it is related to the anti-replay window size as per above comments, if that's the fix what it would be shocking to me is the fact that I have had my ticket open for months and no engineer has been able to provide any information, and that the 'fix' actually comes so late. In any case, the damage is made.
from the logs, I can see this when failing from the ASA:
where x.x.x.x is the Meraki remote public IP.
[IKEv1]Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x00007ffe60d39e40, mess id 0xb107883c)!
[IKEv1]Group = x.x.x.x, IP = x.x.x.x., Removing peer from correlator table failed, no match!
[IKEv1]Group = x.x.x.x, IP = x.x.x.x, Session is being torn down. Reason: Phase 2 Mismatch
Also, from the debugging, it looks like there's a crypto ACL mismatch, but the ACL that shows the log is actually properly configured in both sides, mirrored. Again, when clearing the tunnel everything starts working fine again.
Cisco pointing to Meraki, but no answer from them.
are you NATting in the firewall? I have everything behind NAT, so I wouldn't understand the point of disabling NAT-T as I need to encapsulate in UDP to work with PAT 😕
Yes, we are natted completely behind the firewall. My understanding the Nat T only effects this site to site Vpn which public side is all real ips. It's not a global setting so someone trying to get on a Vpn inside my network can.
So far up since last Wednesday no events. I just added back or watch guard side added back in secondary end point for isp2 and they had to turn on dead peer detection so now click is reset
I just wanted to chime in here with a "me too"
Merak end: MX84, version 14.40
Cisco end: ASA 5585, version 9.8.4(10)
For two weeks i've been having to re-type a PSK on both Meraki and Cisco ASA side to get the tunnel to come back up. My settings were:
IKE Policy: AES 256, SHA1, 86400 lifetime
IPSEC Proposal: AES 256, SHA1, 86400 lifetime
Problem: Tunnel drops right at 18 hours.
I had Meraki turn off NAT-T -- this did not fix the issue.
I then made the following changes:
IKE: 3DES, SHA1, lifetime 3600
IPSEC: 3DES, SHA1, lifetime 3600
NAT-T turned off still
Tunnel has been up for 20+ hours with no drop. I'm assuming its the lifetime values and not the IKE/IPSEC proposals. At any rate after struggling through this for weeks i'm happy it seems to be working better now.