show conn count

Evan
Comes here often

show conn count

Good morning - is there an equivalent Meraki command or function to "show conn count"?

9 Replies 9
Adam
Kind of a big deal

I think the closest you'll get to that data is Network Wide>Clients and Network Wide>Traffic Analytics.  But I do not believe there is an equivalent to that command.  What type of data are you wanting to get?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Evan
Comes here often

Thanks Adam. 

 

We have an M84 <--> ASA5512X VPN that keeps going down. It's been happening for a year now, and I cannot figure it out.

 

I was wondering if we are exceeding the number of connections that the firewalls support. I don't know what happens when you do, but I am at my wits end. 

 

I see that there are other people with the same issue (https://community.meraki.com/t5/Security-SD-WAN/VPN-stops-passing-traffic-between-Meraki-Security-Ap...).

 

 

Adam
Kind of a big deal

Have you looked through Network Wide>Event Log and change it to the security appliance and then filtered for the VPN related event types to see if there are any clues in there?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Evan
Comes here often

I have a little, and Meraki support did, but to be honest I haven't in a few months. I didn't see anything that leaps out at me the last time I looked. You're right, I should keep an eye on it. 

 

 

Evan
Comes here often

Let me note that the tunnel stays up for anywhere from 1 hour to 1 month before it goes down. 

 

I see lots of these - and was told that the ASA is misconfigured. But how can that be if the tunnel comes up and stays up?

 

Sep 6 14:24:19 Non-Meraki / Client VPN negotiationmsg: notification NO-PROPOSAL-CHOSEN received in informational exchange.
Sep 6 14:02:44 Non-Meraki / Client VPN negotiationmsg: 207.74.167.18 give up to get IPsec-SA due to time up to wait.
Adam
Kind of a big deal

It can come up but be unreliable if things like the Phase 1, Phase 2 lifetimes don't match etc.  Have you checked all of those things to verify they match on both sides?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Evan
Comes here often

As far as I can see everything is set to 86400. On Meraki it definitely is. On my ASA all my IKE policies are 86400, IPsec IKEv2 has the following:

 

2018-09-11 11_14_11-Terminals 4.0.1 (Files store).png2018-09-11 11_08_12-VPN Configuration - Meraki Dashboard.png

PhilipDAth
Kind of a big deal
Kind of a big deal

Based on the events you provided on from the Meraki side - it seems that the ASA is choosing not to respond to some event.  You will need to look at the ASA log when the issue is happening to see why it is not happy.

Evan
Comes here often

Thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels