Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Register or Sign in
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About François
Community Record
8
Posts
0
Kudos
0
Solutions
Badges
Sep 21 2020
11:29 PM
So, for you, my way can be to use manual NAT traversal. But, when I try to activate this the dashboard, the public IP is required : Because I have 2 ISPs, if we are in failover, an other public IP will be used. That's why I said the automatic NAT traversal seems to be the only way for me. If I keep automatic and I manage a public IP white list? perhaps I can do an API request to receive all public IP found from my dashboard?
... View more
Sep 21 2020
3:07 AM
Dear CN, About the manuel NAT traversal, I can not implement this because there 2 ISPs with 2 differents public IP. When we select manuel NAT traversal we need to put a port and only one IP. So, in my case, automatic is the only way. About incoming rule, I'm surprise about this. I read this in Meraki document : Public IP assignment Placing an MX appliance configured as a one-armed VPN concentrator at the perimeter of the network with a publicly routable IP address is not recommended and can present security risks. As a best practice, one-armed concentrators MX appliances should always be deployed behind an edge firewall that filters inbound connections. https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide Now, I read again this and I'm not sure about "that filters inbound connections" ? So you confirm, in my case, open incoming rules could be a solution? So it mean a rule where I will open all UDP port range 32768-61000 from all IPs?
... View more
Sep 16 2020
11:26 PM
Dear CN Put temporary manual NAT traversal in order to force all VPN to change ports can be an other work-around, but it still not an automatic fail-over. In this case, why Meraki can not change source port used when a new public IP is discovered? (this could solve other behavior I saw too... because dynamic NAT behavior change a lot depend of routers models) The intricacies on Palo side is the fact that because the source IP (Private VIP IP from the one armed concentrator) and the source port don't change on this fail-over, the Palo-Alto continu to work with the same session and continu to NAT of the old public IP. So all incoming packet coming from other MX on the new public IP are drop because there is no existing session on this criteria. Clear session or change source port will force to recreate these sessions. I continu to think this behavior is not normal on Palo side. An other work-around I had in mind was to have an incoming rules to allow UDP flow to go to the VIP MX IP. But this kind of incoming rules looks not good in term of security and Meraki don't recommend this rule in this configuration. Do you think this could be a way? Best regards,
... View more
Sep 15 2020
11:41 PM
Put the MX in parallel is not an option for me because I need to keep one-armed VPN concentrator due to EBGP used. At this moment, I push a case on Palo-Alto side because I consider this is a bad behavior from Palo-alto. I keep you updated. In any case, all proposition you can have will be more than welcome because I can't keep this no-automatic fail-over in a DC.
... View more
Sep 15 2020
11:37 PM
Yesterday, I was with Palo-alto support. I propose this way, because it's possible to reduce UDP session timeout, default is 30sec. But from my analyze, to have this working, it mean 2 or 3 secondes and Palo-alto said this is not recommended to have very small value like that.
... View more
Sep 15 2020
11:34 PM
Dear Jordan, Thanks again. In my case, I use BGP and it's concentrator only....so. Like you, I saw this behavior with other VPN tunnel, not only Meraki. I consider this problem is on Palo Alto side and I will push on this way. I created this post about this problem : https://community.meraki.com/t5/Full-Stack-Network-Wide/Meraki-MX250-behind-Palo-Alto/m-p/97876#M1614 I will try to update my situation on that.
... View more
Sep 15 2020
5:05 AM
We have palo-alto firewall with 2 ISPs and path-monitoring enable on both default routes and one PBR rule. An HA of MX250 behind this firewall with proper rules and NAT. The NAT works perfectly in automatic without unfriendly NAT detected. In case of ISP fail-over, UDP session created inside the Palo-alto stay active and continu to nat on the last public IP. Only solution is to do a clear session on the firewall and all VPN start to work again. Here explanation of Palo-Alto : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLlfCAG This problem have big impact because, it mean all our SD-WAN network can not have a automatique ISP fail-over on the concentrator (something we have with remote sites ...) Did somebody found something to improve this? a work-around? a redesign? Thanks in advance. Best regards,
... View more
Sep 15 2020
4:50 AM
Hi Jordan, I note exactly the same : "One thing to note is if you are using PBF rules on the Palo Alto for ISP fail over, I've found that the Palo Alto will not clear the Meraki IPsec sessions when failing to the backup ISP (or failing back to the primary). In order to get the Meraki VPN to fail over you have to either clear the Palo Alto IPsec sessions, or restart the Meraki to re-establish the IPsec tunnels." I have the same problem and I try to find a solution because it mean fail-over is not automatique. I have case open with Palo-Alto : Here explanation from Palo-Alto : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLlfCAG From my point of view this is not acceptable solution in the article. Did you continu to deal with this today or did you find an other solution? Regards,
... View more
© 2024 Cisco Systems, Inc.
