Meraki

Community

VPN tunnel between Meraki and Checkpoint

NicoHuang
Here to help
‎Feb 20 2025 1:47 AM
‎Feb 20 2025 1:47 AM

VPN tunnel between Meraki and Checkpoint

Hi all!

 

Wanted to seek your insights on a strange issue we’ve encountered... Some of our offices are running on MX250, while our Azure side uses a Checkpoint firewall.

 

The problem we have is - for the Boston(MX250) to Azure SEA(checkpoint) VPN tunnel, we noticed that despite the tunnel status showing as "up" on both the Meraki and CP pages, the servers behind the checkpoint can't reach certain subnets in Boston...

 

Checking the logs, When the tunnel is being established, for any subnet that can't be reached, the last packet sent from Meraki to Checkpoint fails, followed by multiple "payload malformed" error messages.... (we've also opened a case with Meraki, and packet captures from Meraki show that it is sending packets to Checkpoint but not receiving a response... seems like a loop.)

 

We also noticed that on Checkpoint, the VPN tunnel between BOS and Azure SEA resets every 3-4 min (not sure if this is related to the payload malformed message)

 

Another interesting finding is that the WAN2 interface on BOSMX250 cannot ping AZSEA’s public IP... We tested other offices with MX250, and it seems to be the same behavior... only one WAN interface can ping this public IP, while the other cannot. (And the failing one is the primary link)

Not sure if anyone has encountered a similar issue? Any suggestions would be greatly appreciated!

Labels:
0 Kudos
4 Replies 4
alemabrahao
Kind of a big deal
‎Feb 20 2025 5:46 AM
‎Feb 20 2025 5:46 AM

Take a look at this:

 

Troubleshooting Non-Meraki Site-to-site VPN - Cisco Meraki Documentation

 

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/SASE-IPsec-VPN-Integration/Co...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
NicoHuang
Here to help
‎Feb 23 2025 10:23 PM
‎Feb 23 2025 10:23 PM

Thanks for sharing, will check these articles!

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 20 2025 12:05 PM
‎Feb 20 2025 12:05 PM

IKEv2 on Meraki will only negotiate a single subnet combination at a time.  If you change it to IKEv1, the issue will go away.

0 Kudos
In response to PhilipDAth
NicoHuang
Here to help
‎Feb 24 2025 12:02 AM
‎Feb 24 2025 12:02 AM

Thank you for the suggestion! Just double-checked the settings on both Meraki and CheckPoint, we did set the IKE version to IKEv1, and on CheckPoint we've configured the encryption method to IKEv1 for IPv4 and IKEv2 for IPv6 only, but the issue still occurs intermittently.

Also when the issue happens, we captured packets on both sides... both the MX250 and the Checkpoint are actively initiating Non-Meraki VPN negotiation traffic (UDP Port 500 and 4500) to each other, but neither is receiving inbound VPN packets properly...

Based on this behavior... just guessing the VPN negotiation packets might be getting dropped somewhere along the ISP's path. Could that be the case?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.