cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

site-to-site VPN non-Meraki Peer - ACL matching doubt

Highlighted
Building a reputation

site-to-site VPN non-Meraki Peer - ACL matching doubt

Hi guys,

 

I am still struggling with a tunnel issue where every certain and random time the tunnel just stops passing traffic even if it remains up (against a ASA firewall).

 

I have a question regarding the interesting traffic ACLs. In the ASA it is very clear that you define source and destination subnets, but in Meraki, you define in the site-to-site the remote subnets participating, but in regards to the source (Local Meraki subnet) you just specificy globally whether it is in VPN or not. Does it mean I have to mirror in the ASA the ACL for every single local Meraki subnet participating in the VPN? 

 

Let's say I have 10.0.1.0/24  and 10.0.2.0/24 locally in Meraki. Both of them VPN -> yes. 

Then I have several remote subnets, let's say 172.16.0.0/24 172.16.0.1.0/24  ... But I only want communication between 10.0.1.0/24 and the remote subnets in ASA, therefore my ASA VPN ACL would look similar to:

access-list vpnx extended permit ip 172.16.0.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list vpnx extended permit ip 172.16.1.0 255.255.255.0 10.0.1.0 255.255.255.0

 

As 10.0.2.0 is participating in the Meraki VPN process, do I have to specify this subnet as well in the ASA? or it wouldn't be required? 

 

In any case, I understand that in case of not maching, this would affect only to the involved subnets, right? so it shouldn't cause any impact on the tunnel or the communication of the existing flows. 

 

thank you.

3 REPLIES 3
Highlighted
Kind of a big deal

Re: site-to-site VPN non-Meraki Peer - ACL matching doubt

We have a similar issue but assumed it was on the far side.  We typically go to the Site to Site VPN section and set it to 'No Networks' then back to 'All Networks' or whatever.  This effectively bounces the tunnel and starts passing traffic again.  I assumed it was the far side because we have two Site to Site VPN tunnels to different destinations.  Both using Checkpoint firewalls and one of them never requires a bounce.  But Obviously I need to watch this a little more closely.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Highlighted
Building a reputation

Re: site-to-site VPN non-Meraki Peer - ACL matching doubt

So your traffic stops passing randomly too? Honestly I have tried many different things already, there are days that it remains OK, maybe for 4 or 5 days, and some other times it could fail during 2 or 3 consecutive days. There is not a pattern which make it hard to troubleshoot. The only thing I know is that with another ASA that we have in the same location as Meraki it is working properly always.

Highlighted
Kind of a big deal

Re: site-to-site VPN non-Meraki Peer - ACL matching doubt

Agreed I've basically had the exact same experience but since the Meraki is solid without going down to one of our other sites I was more suspicious of the far side than our Meraki.  Could also be possible that the ASA was just doing a better job of re-establishing the tunnel without notification.  

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.