I am having the same exact issue between a Meraki MX80 HA Pair and a Watchguard firewall. I have marked this CASE HIGH PRIORITY CRITICAL when I lose this tunnel the entire organization is down. Basically HA and all failover works perfectly and then either at EOL of Phase 2 key or at random the VPN just stops it appears Phase 1 is up and we have verified all settings on both sides, followed Meraki docs to a Watchguard, either side can rekey the tunnel back up and working, but hangs. I am using HA pair setup with Virtual IPs for greatest recovery with two ISPs all cabled the same. with direct heartbeat cable between per Meraki Best Practices. They had me move to 14.20 for an initial HA Pair problem where the STP was not being passed on a security monitoring device, got that resolved was not related to the 14.20 firmware. Went back to the stable release of 13.27 I was on Stable relase 13.27 and at random, the mx would lose its virtual IP and the tunnel would try to establish on the non-virtual IP, of course, it wouldn't work THey beta pushed me up to 14.27 and now I"m back to my original problem. Using std negotiations with phase 1 time to 28800 and phase two time to 14400 everything matches to a tee. Also have the WatchGuard keep alive off because not supported to non-watchguard, dead peer detection is on. They have captured packets and don't see anything wrong on in the tunnel setup nor settings. They can't explain why it just stops, but there are over 100 tunnels connection to my application provider without problems and this is only one they are having trouble with, with all different manufacturers. Meraki is so good at so many things, but some of the most basic things, like this, and then like no logging if they block a country from layer 7 firewall rule. I had the same setup with sonciwall and never had any trouble with the HA or tunnels, but now trouble. They are gathering packets etc and I'm trying to get to engineering but doesn't suppress the heat i'm getting Has anyone got a resolution. I'm tempted to go back to the sonciwall with this tunnel. I still have it running my Verizon Wireless Private network tunnel because meraki doesn't support address translation on a tunnel or truly support BGP so I can get rid of the translation. ANyone......Car54 Anyone??????? HELP
... View more