Yes, we are natted completely behind the firewall.  My understanding the Nat T only effects this site to site Vpn which public side is all real ips.  It's not a global setting so someone trying to get on a Vpn inside my network can.      So far up since last Wednesday no events.  I just added back or watch guard side added back in secondary end point for isp2 and they had to turn on dead peer detection so now click is reset  ... View more

So far we have turned off Nat T on both sides been up 7 days no events  ... View more

UPdate, we have for sure verified and removed NAT-T on both sides.   Thanks, Scott   ... View more

Upate I ran all day today, and Meraki Support did not turn off Nat-T it is still one, no drops then had a bip at 5pm and now down from 6pm-9pm no explanatio   ... View more

From another thread   https://community.meraki.com/t5/Security-SD-WAN/VPN-stops-passing-traffic-between-Meraki-Security-Appliances-and/td-p/1505   Advised me to look into the anti-replay window between the meraki and the watchguard firewall.   Having issue of phase2 just hanging they turned off nat-T but another user referenced anti-replay.       ... View more

Update... So being here till 11:30pm last night and going through three call centers, and refusing to get off the phone.  They captured all the information they wanted except a down situation. From my colleagues on the other side, they can see that Meraki Support disabled NAT-T on the Meraki side, which is an options we cannot see, and (FINGERS CROSSED) since last night I have not had one hiccup.  We did temporarily remove the secondary endpoint on the watchguard side just for testing, but plan on putting it back if everything goes well today.  I was also very patient, gave the techs time to analyze the captures, cause we all know how it is to work in Tech Service.   The WatchGuard guys asked if I wanted anything else changed on their side. I told them not to change anything so on the WatchGuard side we still have Dead Peer Detection  5 tries 20 seconds, no Keep Alive cause thats watchguard to WatchGuard, and NAT-T on, which is on by default on most firewalls now, but apparently NAT-T on meraki might be causing something with Meraki.   Keep everyone Posted. For as good as they are in so many areas, this core product needs more work   I'll  ... View more

Thank you.    I refuse to get off the phone nor did they pressure me i'm over 2 hours in right now. The result is parsed packet captures and verified my settings are correct and remote vendor. Eliminated any setup errors on both our parts and have attached screen captures.   They verified Dead peer detection is fine and correct. I'm supposedly heading into higher level engineering.    What we are down too is this.  Describe it this way Site A (ME)  Site B is Watchguard)   When this VPN Down event  occurs Site, B tries to send packets to Site A(seen in packet capture), The Phase one tunnel is up, matter fact I get a green light on meraki, but meraki Phase 2 is actually down,  the green light only shows phase 1. You reboot primary or turn off vpn page turn on, the phase one comes down and immediately everything restarts, and they did both confirm on both sides that dead peer detection is working properly. I'm good to go again, it seems related to phase 2 key lifetime, but not always its random to.   We have gathered logs, screenshots, and everything because I don't want this escalated and easily dismissed. This issue thanks to this thread and my gut experience is more than just a simple misconfiguration or setting problem.   More to come, Thank you for the replies> its good to know I"m not alone.                   ... View more

I am having the same exact issue between a Meraki MX80 HA Pair and a Watchguard firewall. I have marked this CASE HIGH PRIORITY CRITICAL when I lose this tunnel the entire organization is down.   Basically HA and all failover works perfectly and then either at EOL of Phase 2 key or at random the VPN just stops it appears Phase 1 is up and we have verified all settings on both sides, followed Meraki docs to a Watchguard, either side can rekey the tunnel back up and working, but hangs.   I am using HA pair setup with Virtual IPs for greatest recovery with two ISPs all cabled the same. with direct heartbeat cable between per Meraki Best Practices.   They had me move to 14.20 for an initial HA Pair problem where the STP was not being passed on a security monitoring device, got that resolved was not related to the 14.20 firmware. Went back to the stable release of 13.27    I was on Stable relase 13.27 and at random, the mx would lose its virtual IP and the tunnel would try to establish on the non-virtual IP, of course, it wouldn't work THey beta pushed me up to 14.27 and now I"m back to my original problem.   Using std negotiations with phase 1 time to 28800 and phase two time to 14400  everything matches to a tee.  Also have the WatchGuard keep alive off because not supported to non-watchguard, dead peer detection is on.   They have captured packets and don't see anything wrong on in the tunnel setup nor settings.  They can't explain why it just stops, but there are over 100 tunnels connection to my application provider without problems and this is only one they are having trouble with, with all different manufacturers.    Meraki is so good at so many things, but some of the most basic things, like this, and then like no logging if they block a country from layer 7 firewall rule.   I had the same setup with sonciwall and never had any trouble with the HA or tunnels, but now trouble. They are gathering packets etc and I'm trying to get to engineering but doesn't suppress the heat i'm getting    Has anyone got a resolution. I'm tempted to go back to the sonciwall with this tunnel. I still have it running my Verizon Wireless Private network tunnel because meraki doesn't support address translation on a tunnel or truly support BGP so I can get rid of the translation.   ANyone......Car54 Anyone??????? HELP   ... View more