Meraki

Community

non-Meraki VPN (on a Friday)

Solved
network-shmuck
Conversationalist
‎Aug 16 2019 3:49 PM
‎Aug 16 2019 3:49 PM

non-Meraki VPN (on a Friday)

Yes, I am aware that it was a bad time, but I didn't schedule it.

 

My VPN to the other device isn't coming up.  Looks to be stuck at phase I:

 

Non-Meraki / Client VPN negotiation msg: IPsec-SA request for [public IP addr] queued due to no phase1 found.
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 10.200.40.180[500]->[public IP addr][500]
Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up.
Non-Meraki / Client VPN negotiation msg: request for establishing IPsec-SA was queued due to no phase1 found.
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 10.200.40.180[500]->[public IP addr][500]
Non-Meraki / Client VPN negotiation msg: ignore information because ISAKMP-SA has not been established yet.
Non-Meraki / Client VPN negotiation msg: initiate new phase 1 negotiation: 10.200.40.180[500]<=>[public IP
Non-Meraki / Client VPN negotiation msg: IPsec-SA request for [public IP addr] queued due to no phase1 found.

 

From the capture, it looked like a phase II message was coming in before phase I had been completed (leading to the ignore above?).  Anyway, that's as far as it gets.

 

Thoughts?

0 Kudos
1 Accepted Solution
In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 17 2019 7:16 PM
‎Aug 17 2019 7:16 PM

You have find the remote end needs to have your private IP address configured as it's peer identity (which is different from the peer IP address).

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 16 2019 4:12 PM
‎Aug 16 2019 4:12 PM

I can see 10.200.40.180 is sitting behind another device doing NAT.  Make sure that the device is NATing through udp/500 and udp/4500 through to the IP address on the MX.

0 Kudos
In response to PhilipDAth
network-shmuck
Conversationalist
‎Aug 16 2019 5:13 PM
‎Aug 16 2019 5:13 PM

Thanks PDA.

 

Here's the capture decode I was talking about earlier:

 

IP 10.200.40.180.500 > [public IP addr].500: isakmp: phase 1 I ident
IP [public IP addr].500 > 10.200.40.180.500: isakmp: phase 1 R ident
IP 10.200.40.180.500 > [public IP addr].500: isakmp: phase 1 I ident
IP [public IP addr].500 > 10.200.40.180.500: isakmp: phase 1 R ident
IP 10.200.40.180.4500 > [public IP addr].4500: NONESP-encap: isakmp: phase 1 I ident[E]
IP [public IP addr].4500 > 10.200.40.180.4500: NONESP-encap: isakmp: phase 2/others R inf[E]

 

The fact that I get responses back on both port 500 and 4500 indicates to me that NAT is working.

 

 

0 Kudos
In response to network-shmuck
DS2
New here
‎Feb 21 2020 3:17 PM
‎Feb 21 2020 3:17 PM

Hello,

 

I have the same problem. How you could solved it?

0 Kudos
In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 17 2019 7:16 PM
‎Aug 17 2019 7:16 PM

You have find the remote end needs to have your private IP address configured as it's peer identity (which is different from the peer IP address).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.