Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site-To-Site VPN issues with FIOS ISP

Ed_L
Conversationalist
‎May 23 2022 10:19 AM
‎May 23 2022 10:19 AM

Site-To-Site VPN issues with FIOS ISP

I work for a Construction company and we deploy MX64W and MX68CW units to our remote sites. Recently, FIOS did a firmware update to their hardware which killed the site-to-site VPN connection on the device. I've done just about every bit of troubleshooting I can think to. The ONT connects to the FIOS Modem, Connects to the Meraki Internet Port which delivers WiFi to Endpoints and has a copier hard-wired to it.

 

Site-To-Site VPN Configured. There's an MX84 and MS225 at HQ and Organization-Wide settings are configured to our Azure environment. 

 

About 2 weeks ago my team started complaining about not being able to scan to e-mail. No problem. I took a look at the copier to make sure the settings were correct and all accounts were logged in that needed to be. I took a look at the firewall and everything looked normal. The team was still connecting to the wireless delivered by the MX64W and they still had Internet and could print (the printer is local to them on the network). When troubleshooting, I noticed print jobs weren't passing through the Print Server. I signed into the Print Server and discovered I could not ping the Copier, nor the Meraki. When I'm on site, I can ping everything just fine as it's local to me, the Meraki, copier, etc. but cannot ping the equipment from the print server or from HQ / Another site with a Meraki configured. 

 

I started with reconfiguring the MX64W thinking something went AWOL. Still wasn't working.

I brought another MX64W to my site and that also wouldn't work as intended.

I brought an MX68CW and configured it over LTE and left it independent of the FIOS connection, that worked with no issues. VPN was functioning, it talked to the print server and I could do everything and ping it from anywhere. 

 

I reconfigured an MX64W and left it at the FIOS site and brought the older one to a new site (With Comcast) and configured it/set it up and all was good within 10 minutes. Internet was fine, wireless, VPN and the ability to connect the copier to the print server. Tested scan-to-email and it worked beautifully. This was the same unit as the FIOS site, just wiped and reconfigured from scratch. 

 

Lastly, I reset all of the Verizon equipment and none of that helped.

 

I got in touch with Verizon and they noted firmware updates that they sent out in the weeks prior to this issue being discovered (My guys don't always scan to e-mail, so we weren't aware of this until weeks later). They recommended trying to bypass their system, so connecting the ONT directly to Meraki. I reconfigured the Meraki with the static IP from Verizon, and while it showed as connected, would not pass Internet to the Meraki, so anything connecting to it via WiFi/Wired didn't have Internet. I tried this at both FIOS sites and it failed. Meanwhile, I did the same thing at one of my Comcast sites and it worked just fine. 

 

The last thing I'll note is that the Meraki Portal allows me to see all devices still so I know some kind of passive Internet is working on the firewalls. Everything is reporting as online and connected, and I'll even get notifications when someone goes offline/disconnects. 

 

I've exhausted my knowledge of what else to try or where to go. I tried looking at other forums to see if anyone else had reported FIOS-specific connection issues, or causing connection issues with the site-to-site VPN setup. I was hoping it was something stupid that I overlooked.

 

Thanks in advance. 

0 Kudos
Subscribe
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 23 2022 12:15 PM
‎May 23 2022 12:15 PM

That is perplexing.

 

Does the FIOS router have any kind of firewall or IPS in it?  Perhaps it is now blocking inbound connections by default?

Perhaps the firmware upgrade changed some of these settings, and maybe you can turn it off?

 

You could try port forwarding a specific port from the FIOS router to the MX to be used for AutoVPN.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NAT_Traversal 

 

Failing that, I would work on getting the MX plugged directly into the ONT.  There must be a setting wrong that is preventing this.

When you did this, could you ping things by IP address?  For example, did "ping 8.8.8.8" work?  If so, it will be just DNS resolution that is failing.

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 23 2022 12:17 PM
‎May 23 2022 12:17 PM

This reddit article talks about putting the FIOS modem into bridge mode, and then the public IP address will go directly on the MX.

https://www.reddit.com/r/meraki/comments/gi7ywi/mx_64/ 

Subscribe
In response to PhilipDAth
Ed_L
Conversationalist
‎May 23 2022 12:32 PM
‎May 23 2022 12:32 PM

Thank you, I will try Bridge mode. Haven't tried that yet. Per your above, I'll also try port forwarding and see if that makes a difference. 

 

I wasn't able to ping things by IP when I had the Meraki directly plugged in. Did all of the rebooting and power-cycling of the ONT, Verizon Router and the Meraki. Checked MAC address filtering just as a precaution. No conflicting IP on the Meraki as they're all configured with a completely separate Gateway. Firmware is up-to-date. Just found it odd that a Verizon update killed it. Comcast did this to me once about 2 years ago, but they resolved the issue globally with a follow-up roll-back. Verizon refused to roll it back. 

 

I'll report back after I try bridge mode. 

 

Thanks again 

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.