Meraki

Community

non-Meraki VPN peer is not establishing with zScaler

Solved
MOmarRiaz
Here to help
‎Jan 26 2023 2:25 AM
‎Jan 26 2023 2:25 AM

non-Meraki VPN peer is not establishing with zScaler

Hello ,

 

I'm trying to setup non-Meraki ipsec peer with zscaler.

My MX68 device is directly connected to public network. I can successfully ping zscaler public IP from MX68. MX68 is not generating any kind of traffic to zscaler (checked via packet capture on MX68). The only thing which I found in Event Log is

Event Type: Non-Meraki / Client VPN negotiation

Event Details: msg: FIPS mode disabled

MOmarRiaz_0-1674728193199.png

 

 

Here is the custom setting in non-meraki vpn provided to us by zscaler team.

MOmarRiaz_0-1674728487797.png

 

 

Here is the result of capture.

MOmarRiaz_1-1674728591315.png

 

 

Here is the ping response from MX68 to zScaler public IP.

MOmarRiaz_2-1674728656970.png

 

 

I tried to find solution but no success, could you advice me what I can do?

Best regards,

Omar

Labels:
0 Kudos
1 Accepted Solution
MOmarRiaz
Here to help
‎Jan 29 2023 1:15 AM
‎Jan 29 2023 1:15 AM

Dear All,

thanks for your valuable feedback and suggestions. Issue got resolved after contacting call support from Meraki team.

 

Here is the final settings of non-meraki vpn peer after that issue resolved in our case.

MOmarRiaz_0-1674983214525.png

 

MOmarRiaz_1-1674983251355.png

 

I thing i must like to add that the peer does not go up until we forward from traffic. That is one thing we have observed.

e.g.

Here is the case that I can see that the route is active in routing table for non-Merkai VPN peer.

MOmarRiaz_2-1674983355156.png

But when we see VPN status we found out that peer is down.

MOmarRiaz_3-1674983426934.png

We thought in actual the peer is down. But when we send some icmp packet to zscaler then VPN status shows peer is up.

MOmarRiaz_4-1674983553847.png

VPN status after icmp packet

MOmarRiaz_5-1674983595455.png

We have observed that they are few drop for icmp packer at very start but after that ping observed normal with out any drops and peer shows up.

Another thing we have observed that if there is no traffic on the non-meraki vpn peer then VPN status again show red or peer down after few hours but if we send some traffic or icmp ping then again it comes to green (VPN peer up).

This is all we have observed so far.

View solution in original post

0 Kudos
21 Replies 21
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 3:04 AM
‎Jan 26 2023 3:04 AM

Follow these recommendations:

 

  • Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:

     

     

    • Preshared secret must be greater than 14 characters 
    • Authentication cannot be MD5 
    • Diffie-Hellman Group must be 14 
    • Phase 2 encryption cannot be NULL 
    • PFS can be configured to be either off or 14 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
MOmarRiaz
Here to help
‎Jan 26 2023 3:16 AM
‎Jan 26 2023 3:16 AM

1. Preshared secret must be greater than 14 characters

Yes in our case preshared key is 16 characters.

 

2. Authentication cannot be MD5

Yes we are not using MD5

 

3. Diffie-Hellman Group must be 14

I have also check with "Diffie-Hellman Group must be 14". Same issue.

 

4. Phase 2 encryption cannot be NULL

Yes, In our case Phase2 encryption is AES256, AES192,AES128. 

 

5. PFS can be configured to be either off or 14

In our case it is off. I have also check this with 14.

 

I have found this above setting from Meraki documentation and i have implemented this but or creation of non-meraki vpn peer, event log message is same. msg: FIPS mode disabled

0 Kudos
In response to MOmarRiaz
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 3:25 AM
‎Jan 26 2023 3:25 AM

Is your MX behind a CG-NAT?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
MOmarRiaz
Here to help
‎Jan 26 2023 3:53 AM
‎Jan 26 2023 3:53 AM

No. Public IP is directly assigned to MX68.

0 Kudos
In response to MOmarRiaz
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 3:37 AM
‎Jan 26 2023 3:37 AM

And also not even the first and last character of the password can be a special character.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
MOmarRiaz
Here to help
‎Jan 26 2023 3:54 AM
‎Jan 26 2023 3:54 AM

In our case credential does not contain any special character.

first and last character are lowercase alphabet

0 Kudos
In response to MOmarRiaz
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 3:53 AM
‎Jan 26 2023 3:53 AM

Have you tried it? https://community.meraki.com/t5/Security-SD-WAN/IPSEC-Tunnel-withZScaler/m-p/53769

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
MOmarRiaz
Here to help
‎Jan 29 2023 1:02 AM
‎Jan 29 2023 1:02 AM

Yes I have tries this but same situation. However issue got resolved after getting call support from Meraki team.

0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 3:34 AM
‎Jan 26 2023 3:34 AM

Do you have any local subnet set to vpn on?

 

https://help.cloudi-fi.com/en/articles/3177550-cisco-meraki-mx-routing-tunnels-deployment

In response to ww
MOmarRiaz
Here to help
‎Jan 26 2023 3:55 AM
‎Jan 26 2023 3:55 AM

Yes we have enable 2 local subnet for vpn at MX68.

0 Kudos
MOmarRiaz
Here to help
‎Jan 26 2023 4:09 AM
‎Jan 26 2023 4:09 AM

Another thing i would like to add that below is the configuration of ours non-meraki vpn with zScaler. (peer not established)

MOmarRiaz_0-1674734680659.png

 

While here is the configuration of another meraki dashboard of same customer a another country which is working fine.

Both non-meraki settings have its own credentials.

MOmarRiaz_1-1674734894438.png

 

Also note that both MX have same version.

 

0 Kudos
In response to MOmarRiaz
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 4:17 AM
‎Jan 26 2023 4:17 AM

Open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
MOmarRiaz
Here to help
‎Jan 26 2023 4:43 AM
‎Jan 26 2023 4:43 AM

I have already opened case and check many options with support team. And till yet we did not find out the cause. That's why I have adopted this community so that may be i found some help from experts in meraki field. Mean while i am also in coordinate with support team for resolution.

0 Kudos
In response to MOmarRiaz
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 5:10 AM
‎Jan 26 2023 5:10 AM

You've tried all possible options, maybe you can try with a different version.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to MOmarRiaz
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 6:26 AM
‎Jan 26 2023 6:26 AM

You can try changing the  phase 2 lifetime to 3600s.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
MOmarRiaz
Here to help
‎Jan 26 2023 7:09 AM
‎Jan 26 2023 7:09 AM

Just tried with 3600s. Same issue.

0 Kudos
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 5:48 AM
‎Jan 26 2023 5:48 AM

Do you see anything in the MX event log on Site-to-Site VPN negotiation?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
MOmarRiaz
Here to help
‎Jan 26 2023 7:06 AM
‎Jan 26 2023 7:06 AM

In Event logs I only found this message. And this event only occurs if i delete peer and create new one. Changing a already created peer does not generate any log.

MOmarRiaz_0-1674745456192.png

 

0 Kudos
In response to MOmarRiaz
rhbirkelund
Kind of a big deal
Kind of a big deal
‎Jan 26 2023 12:12 PM
‎Jan 26 2023 12:12 PM

If you do a pcap on the MX internet interface, you should be seeing packets on udp/500 and udp/4500, as far as I recall.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
In response to rhbirkelund
MOmarRiaz
Here to help
‎Jan 26 2023 9:11 PM
‎Jan 26 2023 9:11 PM

But in pcap there is not a single packet for UDP500 or to destination zscaler peer ip.

I beleive MX68 is not able to generate any ipsec messages and event log is FIPS mode disable.

0 Kudos
MOmarRiaz
Here to help
‎Jan 29 2023 1:15 AM
‎Jan 29 2023 1:15 AM

Dear All,

thanks for your valuable feedback and suggestions. Issue got resolved after contacting call support from Meraki team.

 

Here is the final settings of non-meraki vpn peer after that issue resolved in our case.

MOmarRiaz_0-1674983214525.png

 

MOmarRiaz_1-1674983251355.png

 

I thing i must like to add that the peer does not go up until we forward from traffic. That is one thing we have observed.

e.g.

Here is the case that I can see that the route is active in routing table for non-Merkai VPN peer.

MOmarRiaz_2-1674983355156.png

But when we see VPN status we found out that peer is down.

MOmarRiaz_3-1674983426934.png

We thought in actual the peer is down. But when we send some icmp packet to zscaler then VPN status shows peer is up.

MOmarRiaz_4-1674983553847.png

VPN status after icmp packet

MOmarRiaz_5-1674983595455.png

We have observed that they are few drop for icmp packer at very start but after that ping observed normal with out any drops and peer shows up.

Another thing we have observed that if there is no traffic on the non-meraki vpn peer then VPN status again show red or peer down after few hours but if we send some traffic or icmp ping then again it comes to green (VPN peer up).

This is all we have observed so far.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.