Meraki

Community

determine the last time a non-Meraki VPN peer was successfully used?

cabricharme
Getting noticed
‎Jun 3 2024 2:57 PM
‎Jun 3 2024 2:57 PM

determine the last time a non-Meraki VPN peer was successfully used?

What logs / events should I look at it, to determine the last time a non-Meraki VPN peer was successfully used?

 

(Please walk me through this as I am new to Meraki, and don't have a lot of experience with it or site-to-site VPNs.)

 

Context:

  • there is one non-Meraki peer in our site-to-site VPN setup, along with a number of Meraki peers.
  • that non-Meraki peer is showing red (down), likely due to our attempts to troubleshoot poor VPN and internet connectivity and change a few things.
  • On the "VPN Status" page, there's no indication (at least as far I can tell) of when it went down, or when it was last up
  • We're trying to track down which change brought that non-Meraki VPN peer down, and having the timestamp of the last successful connection would be very helpful
  • The appliance is MX100 on our side

 

cabricharme_0-1717451750633.png

 

 

Thank you!

Labels:
0 Kudos
3 Replies 3
cabricharme
Getting noticed
‎Jun 3 2024 3:17 PM
‎Jun 3 2024 3:17 PM

We just tried switching the primary uplink back to the secondary WAN (WAN 2) - and the peer came up.

 

(We changed the primary uplink to WAN 1 from WAN 2 last week trying to stabilize our site-to-site VPN which was frequently going down. I didn't help - but didn't seem to make things worse other than today's discovery of the VPN peer being down.)

 

Guess the peer is somehow hard-wired to a specific uplink being the primary one? (Traffic is load balanced between uplinks, VPN "active-active" status doesn't seem to matter, nor does "immediate" vs. "graceful" failover.

 

Is there a way to configure it to work regardless of which uplink is primary?

 

P.S. The original question still stands though, how to track down the time a VPN peer went down or was last successfully used.

0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jun 3 2024 11:30 PM
‎Jun 3 2024 11:30 PM

The Non-Meraki Site-to-Site VPN to the Meraki is not configured to the device itself per se. On your remote end, you configure it towards a specific interface on the MX. Not the Device as such. So you'll need to essentially, configure two VPN tunnels on the remote end, towards each uplink on your MX.

 

And even then, I'm' not completely sure how it'll operate. I.e. how traffic will flow, assuming both tunnels are open.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
cabricharme
Getting noticed
‎Jun 6 2024 2:27 PM
‎Jun 6 2024 2:27 PM

Thanks - that makes sense!

 

(Except perhaps that the tunnel should still work when VPN is active-active over two uplinks? In other words why does it stop working if VPN is active-active on two uplinks, the peer is to set up to an IP on, say WAN 2, and the primary uplink is switched to WAN 1?)

 

(Leaving the main question unsolved as I'd still like to get answer to that, too - how to determine the timestamp of the last successful connection over a non-Meraki VPN peer.)

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.