Meraki

Tats · ‎Jun 5 2019

Thanks Philip, Ok now i see. Yes, I have the exactly same ACLs that match bidirectionally. One thing I noticed in ASDM that I have data lifetime set to the default value 4GB although this config is not seen on the running-config. I will set it to unlimited to see if this helps. Regards, Tats

Tats · ‎Jun 5 2019

Hi Philip, Thanks for your reply. Ok I will keep the lifetime as it is. >This is frequently because of a difference in the source and destination encryption domains between the two ends. I do not quite get what this means. can you explain?

Tats · ‎Jun 5 2019

Hello, I am having this issue that Ipsec VPN re-keying between ASA5525 and MX68 sometimes fails. This issue happens about once a week. I have a workaround for the issue which is clearing ikev1 sa and ipsec sa on ASA side but I would like to know the root cause of this issue. I read this somewhere that lifetime of ike1 tunnel should always be greater than lifetime of ipsec tunnel (although I could not find the reason of this practice.) My current config is not following this practice. means that phase 1 and phase 2 have the same lifetime at this moment. Could this config cause this re-key issue? I see these logs on ASA side: Removing peer from correlator table failed, no match! All IPSec SA proposals found unacceptable! I Best regards, Tats

Tats · ‎May 18 2019

Hi GuilhermeMacedo I tested the per client limit between Meraki and ASA and it seems this feature works with Non-Meraki VPN peer as well as normal internet traffic. I guess I will have to use this for our HQ and Branch connection as our HQ is using ASA... I hope Meraki will implement traffic shaping for Non-Meraki VPN peer soon... Regards, Tats

Meraki

Community

About Tats

Tats

Community Record

Re: IPsec re-keying between MX68 and ASA5525 sometimes fails

Re: IPsec re-keying between MX68 and ASA5525 sometimes fails

IPsec re-keying between MX68 and ASA5525 sometimes fails

Re: Traffic Shaping Rules

Re: Traffic Shaping Rules