vMX - Tunnel is up but when trying to reach the remote end RTO.

BaronCSE
Here to help

vMX - Tunnel is up but when trying to reach the remote end RTO.

I have 2 tunnels that is up on the VPN Status page but when trying to ping the remote devices on the other tunnel I can't reach it and the remote devices is active and can be pinged by other network devices that has separated tunnel.

 

I have vMX which I manage and a remote end to Azure GW. When I rebooted the vMX it suddenly works.

I checked the logs nothing came up it just says remote connection is establish yet I can't see any replies from the remote end.

9 REPLIES 9
alemabrahao
Kind of a big deal
Kind of a big deal

Is it non meraki vpn peers? Does it happen on the other side too?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

The remote peer is Azure GW a non-Meraki peer. The remote end also can't ping and doesn't see any response.

Is the IKE version set to v1 or v2: Take a look at this link:

 

 

https://www.checkyourlogs.net/configuring-cisco-meraki-to-azure-site-to-site-vpn-tunnels-ikev2-azure...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

v2. Configs are correct and it was working for almost 1 week then it just stopped working even the tunnels are up I can't reach the remote end.

Perfect, one more question, have you updated your MX recently? I had some issues like this in the past, but in my case, it happened after the upgrade.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I have the 16.15 last week and I upgraded it to 16.16 because the issue was that all the tunnels is up but can't see any responses from the other end when trying to ping. After the upgrade to 16.16 the issue was resolved then after a week the issue came back but this time it's only one tunnel. Note I only have 2 tunnels for ASA and Azure.

MarcP
Kind of a big deal

If there has been nothing done on both sites and its comes back after upgrading to the newest firmware, you should open a case at Meraki.

Well, I ran into a few issues during the setup, and here are some of the errors I did and how I corrected them.

1- Azure VPN gateway was set to route-based. I had to delete the VPN gateway and recreate the gateway with the VPN type as Policy-based
1- When configuring the site-to-site VPN on the Meraki dashboard, ensure the private subnets equal the address space configuration for your Azure virtual network.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Guess what, my on-prem lost reachability this Sat. The remote end is ASA but the Azure GW can still be reachable.

BaronCSE_0-1649074680927.png

This log was last week with Meraki support not sure why Azure is sending delete packet.
Gonna try to find out what happen to the on-prem.

Get notified when there are additional replies to this discussion.