I am working on a non-meraki tunnel to a Fortigate firewall.
It was solid until today when we added a bunch of additional networks to the tunnel config. nothing was changed in the IPSEC configuration, although we verified once again that the configs match exactly.
We are seeing on the fortigate that there is an issue with the Phase 2, specifically with a non-match SPI. I will admit i don't know what an SPI is, but its causing issues.
The Meraki logs, as is typical, are showing even less information. they are only showing constant phase 2 negotiation with no indication as to why.
anyone have any sort of insight into this sort of issue?
An SPI basically denotes which IPSec connection it is (more important when the device has lots of them). It is like an index into a table.
I would try giving both devices a power cycle if you can. One of them might be hanging onto the old state.
Otherwise try removing the extra networks and get it working again, and then start adding the extra networks in a couple at a time. Then you should get to a point where you know which change is breaking it.
Do you have 2 x WAN Connections in the MX with load balancing disabled (fail-over mode)?
If so do you have the Fortinet setup to have a tunnel to both (for redundancy and fail-over)?
If so this is your issue. The Primary will be up and happy, the fail-over will keep failing until such a time as it fails over to the second WAN. We have the same issue and it is very ugly unfortunately, but I can't find a work around. Everything works fine, but the logs fill up with negotiation failures as it can't have 2 SPIs with the same routes on them (for obvious reasons).
Let me know if this helps and is your issue. TAC could help you here also.
Make sure all the IPSEC configs and timers (lifetime) match for both side configs. Also verify the subnets included in the tunnel. I battled with this when trying to do a Non Meraki VPN tunnel to a Checkpoint FW as well.
Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO If this was helpful click the Kudo button below If my reply solved your issue, please mark it as a solution.