Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About RyanMesser
RyanMesser
Here to help
Member since Apr 27, 2019
Apr 30 2019
Community Record
6
Posts
2
Kudos
0
Solutions
Badges
Apr 28 2019
2:17 AM
2 Kudos
Think i've cracked it 🙂 the only thing i kept thinking could be wrong was the ACL's somewhere.. After a very long look through the ACL list on the 2911 router i noticed the top ACL which maps to another crypto map there was this permit ip 172.21.0.0 0.0.0.255 192.168.0.0 0.255.255.255 And on my new ACL for my new crypto map i had 192.168.128.0/24, therefore there was an overlap. Which evidently meant that the packet was coming in hitting the wrong ACL and therefore hitting the wrong crypto map. Which would explain why I was getting peer address not found. I've done a ping across the tunnel from Meraki now and can see traffic both ways now. Thanks for your help
... View more
Apr 27 2019
6:00 PM
It will be going static but yes its been the same. Is there anything else i can check? I'm not sure why but it doesn't really seem to matter what changes i make i get the same message when i try and ping from meraki across to the remote side. I've also noticed when I ping from the Meraki side i get this in the Meraki logs? Apr 28 00:51:42 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel XXXXXXX[500]->XXXXXXX[500] spi=21810707(0x14cce13) Apr 28 00:51:42 Non-Meraki / Client VPN negotiation msg:XXXXXX give up to get IPsec-SA due to time up to wait. Apr 28 00:51:42 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel XXXXXXXX[500]->XXXXXXX[500] Apr 28 00:51:42 Non-Meraki / Client VPN negotiation msg: notification NO-PROPOSAL-CHOSEN received in informational exchange. Apr 28 00:51:42 Non-Meraki / Client VPN negotiation msg: initiate new phase 2 negotiation: XXXXXXXX[4500]<=>XXXXXXXXXX[4500]
... View more
Apr 27 2019
5:14 PM
Yes I think the 2911 has a static ip directly on the interface as you can see thats gi 0/0. In terms of the MX its behind a BT router in bridge mode, I think its WAN interface currently is DHCP should this be static?
... View more
Apr 27 2019
5:06 PM
Thanks will do, i was going off of one of the Meraki config guides but appreciate AES is better. Unfortunately there is a bit of a mixture.. I didn't configure them I'm just trying to add another VPN. There are 4 in total including this MX. S2SVPN 1 - 2911 router to this 2911 router (this is actually being replaced eventually by the S2SVPN 4) S2SVPN 2 - I believe is an ASA to this 2911 router S2SVPN 3 - MX Appliance to this 2911 router (working but can't see config just yet) S2SVPN 4 - MX Appliance i'm currently setting up to this 2911 router Each has a pre-shared key matching to the public IP, so crypto isakmp key <key> address <public address>. Each also has their own ACL. Yes only 192.168.128.0/24 is only set to go over to this VPN.
... View more
Apr 27 2019
3:30 PM
Not sure how they aren't but lets see... Crypto map Crypto Map IPv4 "S2SVPN" 4 ipsec-isakmp Peer = XXXXXXX Extended IP access list Meraki access-list Meraki permit ip 172.21.0.0 0.0.255.255 192.168.128.0 0.0.0.255 Current peer: XXXXXXXX Kilobyte Volume Rekey has been disabled. Security association lifetime:28800 seconds Responder-Only (Y/N): N PFS (Y/N): Y DH group: group2 Transform sets={ ESP-3DES-SHA: { esp-3des esp-sha-hmac } , } Interfaces using crypto map S2SVPN: GigabitEthernet0/0 #show crypto isakmp policy Protection suite of priority 10 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 28800 seconds, no volume limit Then on Meraki Let me know if any more info needed in order to troubleshoot, i have the public address in the router with a preshared key that i have entered on Meraki and that matches. Thanks
... View more
Apr 27 2019
1:26 AM
Hi, Having difficulty in trying to get Meraki to complete phase 2 with a Cisco 2911 router, below is the message i get on the router as soon as I try and ping anything on the other side Apr 26 09:59:09.423: IPSEC(ipsec_process_proposal): peer address XXXX not found Apr 26 09:59:09.423: ISAKMP:(7813): IPSec policy invalidated proposal with error 64 Apr 26 09:59:09.423: ISAKMP:(7813): phase 2 SA policy not acceptable! (local XXXX remote XXXXXX) Apr 26 09:59:09.423: ISAKMP: set new node -10487433 to QM_IDLE Router# Apr 26 09:59:09.423: ISAKMP:(7813):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 822512632, message ID = 4284479863 Apr 26 09:59:09.423: ISAKMP:(7813): sending packet to XXXX my_port 4500 peer_port 4500 (R) QM_IDLE Apr 26 09:59:09.423: ISAKMP:(7813):Sending an IKE IPv4 Packet. Apr 26 09:59:09.423: ISAKMP:(7813):purging node -10487433 Apr 26 09:59:09.423: ISAKMP:(7813):deleting node -1212514309 error TRUE reason "QM rejected" Apr 26 09:59:09.423: ISAKMP:(7813):Node 3082452987, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Apr 26 09:59:09.423: ISAKMP:(7813):Old State = IKE_QM_READY New State = IKE_QM_READY As far as I can see on both Meraki and the router phase 1 and phase 2 are identical and the ACL on the router matches the route I have on Meraki. What is strange is we have another Meraki instance (i don't have access too) that connects to the same router with the same configuration I'm told. Phase 1 has completed so it appears the two are connected but I'm unable to send traffic down the tunnel. I have raised a case but thought I'd post on here and see if anyone else had same issues or can point maybe what I'm doing wrong/what i need to check etc..
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 7448 |
© 2024 Cisco Systems, Inc.
