Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Non-Meraki VPN tunnel event log

sjlee
Comes here often
a month ago
a month ago

Non-Meraki VPN tunnel event log

Dear
We were experienced Non-Meraki VPN tunnel down between MX75 and 3rd-party(AWS) VPN device.
But, we didn't able to check vpn tunnel status down except event message like as below.

<< Event message >>
Time(EDT) Security appliance Client Category Event type Details
2024-04-03 15:58 TEST-MX75 Non-Meraki VPN Non-Meraki VPN negotiation "msg: &lt;remote-peer-3|3445&gt; IKE_SA remote-peer-3[3445] established between 1.1.1.1[1.1.1.1]...5.5.5.5[5.5.5.5]"
2024-04-03 15:54 TEST-MX75 Non-Meraki VPN Non-Meraki VPN negotiation "msg: &lt;remote-peer-3|3436&gt; IKE_SA remote-peer-3[3436] established between 1.1.1.1[1.1.1.1]...5.5.5.5[5.5.5.5]"
2024-04-03 15:47 TEST-MX75 Non-Meraki VPN Non-Meraki VPN negotiation "msg: &lt;remote-peer-3|3434&gt; IKE_SA remote-peer-3[3434] established between 1.1.1.1[1.1.1.1]...5.5.5.5[5.5.5.5]"
2024-04-03 15:47 TEST-MX75 Non-Meraki VPN Non-Meraki VPN negotiation "msg: &lt;remote-peer-3|3288&gt; deleting IKE_SA remote-peer-3[3288] between 1.1.1.1[1.1.1.1]...5.5.5.5[5.5.5.5]"
2024-04-03 15:47 TEST-MX75 Non-Meraki VPN Non-Meraki VPN negotiation "msg: &lt;remote-peer-3|3433&gt; IKE_SA remote-peer-3[3433] established between 1.1.1.1[1.1.1.1]...5.5.5.5[5.5.5.5]"
2024-04-03 15:46 TEST-MX75 Non-Meraki VPN Non-Meraki VPN negotiation "msg: &lt;remote-peer-3|3432&gt; IKE_SA remote-peer-3[3432] established between 1.1.1.1[1.1.1.1]...5.5.5.5[5.5.5.5]"
2024-04-03 15:46 TEST-MX75 Non-Meraki VPN Non-Meraki VPN negotiation "msg: &lt;remote-peer-3|3253&gt; deleting IKE_SA remote-peer-3[3253] between 1.1.1.1[1.1.1.1]...5.5.5.5[5.5.5.5]"
2024-04-03 15:45 TEST-MX75 Non-Meraki VPN Non-Meraki VPN negotiation "msg: &lt;remote-peer-3|3429&gt; IKE_SA remote-peer-3[3429] established between 1.1.1.1[1.1.1.1]...5.5.5.5[5.5.5.5]"

Is there any method how to check through event log menu if tunnel status or peer down?
I appreciate If you share If you have related information.

Thank you,
Best Regards.

0 Kudos
Subscribe
8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal
a month ago
a month ago

I suggest you review the phase 1 and 2 configurations. Did you use the configurations that AWS provides after the tunnel is configured to configure on the MX side?

 

I also suggest that you study the possibility of placing a vMX on AWS to use SD-WAN, it is much more stable and reliable.

 

Finally, it would be interesting to open a support case with Meraki.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
sjlee
Comes here often
a month ago
a month ago

Thank you for reply.

Configuration is same both with AWS. The VPN tunnel was down for about 15 minutes.

Now is normal.

The events above were also occured when normal status.

    └ (To be precise, I think they are logs that negotiate internally for continuous tunnel maintenance.)

we already use MX75 device and OS version is MX 18.107.2.

0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Wait, are you using IP 1.1.1.1? Did you know that it is the IP of a public DNS?

 

I think the problem is there.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
sjlee
Comes here often
a month ago
a month ago

1.1.1.1
5.5.5.5

It just sample IP address. Please refer it.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
a month ago
a month ago

A tip - if you are building a VPN to AWS only build one of the two VPNs.  it will fail if you build both of them.

Also, it is much easier to get going if your MX has a public IP address directly on it, rather than sitting behind a device doing NAT.

And lastly, the easiest way to do this is to deploy a VMX-S into AWS.  Then you can use native Meraki SD-WAN.
https://meraki.cisco.com/product/hybrid-cloud/vmx/vmx-small/ 

0 Kudos
Subscribe
In response to PhilipDAth
sjlee
Comes here often
a month ago
a month ago

Thank you for reply.

In the past, I have configured AWS tunnel 2 EA. (Private subnets information was same both tunnel)

and actually, It was issue due to 2 VPN tunnels was status up. So, I have changed to keeping 1 VPN tunnel through delete other one tunnel.

 

MX device is already use Public IP address in Internet port.

and MX VPN is also performing user gateway role. So, we are not able to compose vMX seperately.

I understood vMX is appliance seperate with MX75, Am I right?

0 Kudos
Subscribe
In response to sjlee
GreenMan
Meraki Employee
Meraki Employee
a month ago
a month ago

The suggestion for the VMX is, I think, to use this at the AWS end, to terminate the tunnel there - in fact, you can then use it to terminate multiple tunnels, for resilience, load sharing, policy/performance routing etc. - if your MX75 has dual uplinks.

0 Kudos
Subscribe
In response to GreenMan
sjlee
Comes here often
a month ago
a month ago

Thank you for reply. Yes, Right. MX75 is connected dual WAN links in Appliance. (Appliance - Spare)

I understand that need to keeping only one AWS tunnel for keeping stable private connect with AWS.

 

After I see your context, I recogize that need to keeping only one AWS tunnel for keeping stable private connect with AWS.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.