VPN up but no LAN to LAN connectivity

Francois
Just browsing

VPN up but no LAN to LAN connectivity

Hello friends,

I am trying to set back up a VPN that were running ok until I faced a internet connectivity issue on one of the two sites. Now it is fixed but I can't make it run fine anymore.

The VPN tunnel itself seems to be up and running but the remote LAN status on each site stays in red in the VPN status menu / "1 site to site peer" and of course no end to end ping works.

 

Any idea on the way to troubleshoot this?

 

Thanks in advance guys,

François

8 REPLIES 8
MilesMeraki
Head in the Cloud

Have you tried to bounce the tunnel from the site that isn't working? (Security appliance>Site to Site VPN, turn the type to off, apply changes and then revert back to your desired setting - Spoke or Hub).

 

Under the Organization>VPN Status page for the site with problems, what does the VPN registry, NAT Type and Encryption messages say?

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

I would go with @MilesMeraki's idea of bouncing the problem site.

 

Also, is this an AutoVPN between Meraki MX units, or is this a third party VPN?

Thanks for the input. It is a VPN between a Mx60 and a z1 both using broadsband acces with variable public ip address

RedBeard
New here

I've had a similar problem with one remote site that would have some kind of problem with it's service provider. When it would come back online it did not reconnect the AutoVPN. Normally we would need to drop the VPN, wait for the config to update and re-enable. Sometimes disable the VPN, and reboot the security appliance. 

That's what has worked for us in the past.

I played around a while with disabling and enabling the VPN back, in H&S or 1x Hub and the other Spk. I suspect the site that faced the connectivity issue is now having stability problem with the VPN registery...

Reboot the applicance is a good idea, thanks.

Francois
Just browsing

What about this considering none of the two sites use a static IP address?

 

https://documentation.meraki.com/MX-Z/Deployment_Guides/SD-WAN_Deployment_Guide_(CVD)

 

If manual NAT traversal is selected, it is highly recommended that the VPN concentrator be assigned a static IP address. Manual NAT traversal is intended for configurations when all traffic for a specified port can be forward to the VPN concentrator.

 

What would be the best setting then according to you ?

Francois
Just browsing

What about this considering none of the two sites use a static IP address?

 

https://documentation.meraki.com/MX-Z/Deployment_Guides/SD-WAN_Deployment_Guide_(CVD)

 

If manual NAT traversal is selected, it is highly recommended that the VPN concentrator be assigned a static IP address. Manual NAT traversal is intended for configurations when all traffic for a specified port can be forward to the VPN concentrator.

 

What would be the best setting then according to you ?

How are the two MX's configured? I.e do they plug directly into your ISP's network with Public IP's directly on the WAN interfaces or do they have a ISP modem upstream and have private IP's?

 

If you're suspecting an issue with the VPN Registry communication, numerous alerts will be generated within your event log of the MX in question. If you're seeing alerts of VPN discconect a lot, this would point to this. I've had this problem in the past and had to engage Meraki support to manually change the registry that the MX was trying to communicate with to stop the problem.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels