Meraki

Community

site-to-site VPN between Meraki and Palo Alto

Phi1001
Here to help
‎May 2 2025 8:08 AM
‎May 2 2025 8:08 AM

site-to-site VPN between Meraki and Palo Alto

We have an ikev1 site-to-site VPN between client's Meraki and our Palo ALto.

 

The issue is as follows :

 

The VPN goes down after the phase 2 lifetime expires and doesn't renegotiate on its own.

It only comes up when the traffic is initiated from Meraki's side and remains active until the pings from Meraki are going on.

Please advise. How do we fix this issue.

Labels:
0 Kudos
7 Replies 7
ww
Kind of a big deal
Kind of a big deal
‎May 2 2025 10:50 AM
‎May 2 2025 10:50 AM

https://docs.sse.cisco.com/sse-user-guide/docs/manual-meraki-mx#caveats-considerations

Main10ence
Meraki Employee
Meraki Employee
‎May 2 2025 1:08 PM
‎May 2 2025 1:08 PM

Hello @Phi1001,

 

I've heard of customers leveraging free applications (like DataDog) to ping across the tunnel are certain intervals to keep the tunnel up. 

 

If you are REALLY fancy, you could use a CRON job that sends out pings at or during times when traffic is minimal. 

.ılı.ılı. Cisco Meraki
Network Support Engineer

"The future favors the bold."
In response to Main10ence
Phi1001
Here to help
‎May 5 2025 5:24 AM
‎May 5 2025 5:24 AM

Thanks Sir.

0 Kudos
BrandonD
Meraki Employee
Meraki Employee
‎May 2 2025 3:01 PM
‎May 2 2025 3:01 PM

Hi @Phi1001,

 

Thanks for the post :). I can confirm this is indeed expected behavior for our Non-Meraki VPN peers as outlined below:

 

 

As some of the other members have noted this can be done with 3rd party tools, or live data within your environment, whichever best serves your environment! 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to BrandonD
Phi1001
Here to help
‎May 5 2025 5:24 AM
‎May 5 2025 5:24 AM

Thank You, Sir.

I'll try that.

alemabrahao
Kind of a big deal
Kind of a big deal
‎May 5 2025 3:53 AM
‎May 5 2025 3:53 AM

Check the tunnel lifetime configuration.

 

IPsec VPN Lifetimes - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Phi1001
Here to help
‎May 5 2025 5:24 AM
‎May 5 2025 5:24 AM

Thanks for the information.

Currently, phase 1 lifetime is set to 28800 seconds for phase 1 and 3600 seconds for phase 2.

But, as per your article, both lifetimes are set to 28800 by default. I will change the phase 2 lifetime to 28800 seconds and try again.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.