Meraki

Community

s2s-tunnel azure troubleshooting

Solved
Denson
Conversationalist
‎Dec 30 2019 6:28 AM
‎Dec 30 2019 6:28 AM

s2s-tunnel azure troubleshooting

Hi there,

 

I'm trying to setup a s2s-tunnel between Meraki and Azure. Since i'm not managing the Azure side i'm not able to troubleshoot a whole lot so i'm just checking here to see i'f im missing something.

 

Goal:

Establish HA connection between Meraki MX and Azure in order to access Azure VM from local network.

 

Config:

Hub

NAT Auto

Default Azure IPSec policies

 

Problem:

1. Configured tunnel is not coming up and fails on phase 1. Checked event log and notice phase 1 keeps failing. When searching online i noticed someone mentioning using vMX100 instead of native azure vpn is a must if u want to establish a stable connection. Is this true?


Packet capture:

13:59:43.013415 IP SOURCE_IP.500 > DEST_IP.500: isakmp: phase 1 ? ident
13:59:46.366007 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident
13:59:46.366227 IP SOURCE_IP.500 > DEST_IP.500: isakmp: phase 1 R ident
13:59:46.371700 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident
13:59:46.372272 IP SOURCE_IP.500 > DEST_IP.500: isakmp: phase 1 R ident
13:59:46.375945 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident[E]
13:59:47.381407 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident[E]
13:59:48.388862 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident[E]
13:59:49.391046 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident[E]
13:59:53.017372 IP SOURCE_IP.500 > DEST_IP.500: isakmp: phase 1 ? ident
13:59:56.373432 IP SOURCE_IP.500 > DEST_IP.500: isakmp: phase 1 R ident
14:00:03.021388 IP SOURCE_IP.500 > DEST_IP.500: isakmp: phase 1 ? ident
14:00:06.377440 IP SOURCE_IP.500 > DEST_IP.500: isakmp: phase 1 R ident
14:00:11.529242 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident
14:00:11.529528 IP SOURCE_IP.500 > DEST_IP.500: isakmp: phase 1 R ident
14:00:11.534939 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident
14:00:11.535540 IP SOURCE_IP.500 > DEST_IP.500: isakmp: phase 1 R ident
14:00:11.539810 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident[E]
14:00:12.532372 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident[E]
14:00:13.534831 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident[E]
14:00:14.540428 IP DEST_IP.500 > SOURCE_IP.500: isakmp: phase 1 I ident[E]
14:00:16.381366 IP SOURCE_IP.500 > DEST_IP.500: isakmp: phase 1 R ident
14:00:21.537378 IP SOURCE_IP.500 > DEST_IP.500: isakmp: phase 1 R ident

 

2. Currently MX01 and MX02 are configured HA. how do i configure the S2S tunnel to remain active when a failover to ISP2 occurs.

 

Network diagram:

 

 2019-12-30 14_44_29-Drawing2 - Visio Professional.png

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 30 2019 11:31 AM
‎Dec 30 2019 11:31 AM

Your phase 1 is failing.  It is most like to me a mis-match between the two ends with one of:

* Encryption domain not matching exactly on both sides

* PSK

* Encryption algrorithyms and hash

 

>Currently MX01 and MX02 are configured HA. how do i configure the S2S tunnel to remain active when a failover to ISP2 occurs.

 

You wont be able to do that with Azure VPN.  It doesn't support backup peers.  You would need the vMX100 to make that work.

View solution in original post

0 Kudos
4 Replies 4
SoCalRacer
Kind of a big deal
‎Dec 30 2019 9:18 AM
‎Dec 30 2019 9:18 AM

I believe you will run into issues with any solution especially if you don't have access to Azure, since most of the config needs to be done properly there first.

 

Here is some info on different solutions, but yes I would say vMX is best, but its pretty costly.

 

1-vMX100

https://documentation.meraki.com/MX/Installation_Guides/vMX100_Setup_Guide_for_Microsoft_Azure

 

2-Custom Azure VPN Setup

http://www.ifm.net.nz/cookbooks/meraki-vpn-to-azure.html

 

3- Policy Based VPN

https://www.virtualizationhowto.com/2017/08/configure-meraki-to-azure-site-to-site-vpn/

 

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 30 2019 11:31 AM
‎Dec 30 2019 11:31 AM

Your phase 1 is failing.  It is most like to me a mis-match between the two ends with one of:

* Encryption domain not matching exactly on both sides

* PSK

* Encryption algrorithyms and hash

 

>Currently MX01 and MX02 are configured HA. how do i configure the S2S tunnel to remain active when a failover to ISP2 occurs.

 

You wont be able to do that with Azure VPN.  It doesn't support backup peers.  You would need the vMX100 to make that work.

0 Kudos
In response to PhilipDAth
Denson
Conversationalist
‎Dec 30 2019 1:18 PM
‎Dec 30 2019 1:18 PM

Both thanks for replying. Seems policy based VPN is best suited for this scenario. Will have other side check the encryption domain.

0 Kudos
In response to Denson
Mateen
Getting noticed
‎Mar 10 2020 1:19 PM
‎Mar 10 2020 1:19 PM

You can have ikev2 activated on your MX and use Azure routebased vpn. I am using same setup but running into a strange issue that both the vpn tunnels at azure are now connected and vpn traffic is not passing.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.