![]() I was on Stable relase 13.27 and at random, the mx would lose its virtual IP and the tunnel would try to establish on the non-virtual IP, of course, it wouldn't work THey beta pushed me up to 14.27 and now I"m back to my original problem. They had me move to 14.20 for an initial HA Pair problem where the STP was not being passed on a security monitoring device, got that resolved was not related to the 14.20 firmware. with direct heartbeat cable between per Meraki Best Practices. I am using HA pair setup with Virtual IPs for greatest recovery with two ISPs all cabled the same. I have marked this CASE HIGH PRIORITY CRITICAL when I lose this tunnel the entire organization is down.īasically HA and all failover works perfectly and then either at EOL of Phase 2 key or at random the VPN just stops it appears Phase 1 is up and we have verified all settings on both sides, followed Meraki docs to a Watchguard, either side can rekey the tunnel back up and working, but hangs. I am having the same exact issue between a Meraki MX80 HA Pair and a Watchguard firewall. I just don't have the time or heart any more. ![]() Maybe someone else can stay on support about this and give them a hard time. Meraki is owned by Cisco and they can't create a stable tunnel with the most industry-standard firewall imaginable. I've done SonicWall-ASA tunnels, Watchguard-ASA tunnels, Fortinet-ASA tunnels - all work perfectly. It is disappointing that this is even an issue. They just don't have the knowledge and experience to support the product properly when something unusual goes wrong. They certainly act like they know what they are doing, but nothing ever really gets fixed. Every time I reach out to them I get a tech that can't really help at all. Had to "cl isakmp sa" and everything started working again (but who knows for how long). When I looked at the ASA side (since you can't see s*** on the Meraki) there were two tunnels up and active - one with the ASA as the initiator and one with it as the responder. I just had one stop passing traffic this weekend. Set firewall options mss-clamp interface-type all Obviously it's too early for me to say whether this has completely resolved it, but I thought it worth sharing as I've tried almost everything else and hopefully it points someone in the right direction. I then made 10+ changes to the Meraki peer console to try and force it to break, and each time the tunnel would drop, recreate and resume normal operation. I didn't need to restart IPSEC, it literally just came good. As soon as I made the change, traffic started flowing freely. ![]() By adjusting the MSS down to a conservative 1300 on all interfaces, the problem has magically gone away. Within a few seconds, the tunnels drop and recreate fine but with only some of my traffic passing through. I can recreate this like clockwork by simply making a change to one of the peers on the Meraki console. The only way to fix it is to restart IPSEC on the Cisco/Ubiquiti end. For all intents and purposes the tunnel is up, however not everything works.Īt the Cisco/Ubiquiti end, this manifests as failed authentication attempts to domain controllers, file shares stop working etc. When this happens, certain types of traffic stop passing through the tunnel to this site. What I've found is that if a change is made in the site-to-site VPN settings - such as adding/removing a subnet on any of the peers - the Meraki closes ALL tunnels and recreates them. ![]() IPSEC has 3DES/SHA1 with lifetime of 86400 for both Phase 1 and 2. SET VPN MONITOR REKEY JUNOS SERIESI've been having some major issues with a Meraki MX80's VPN to one site previously running a Cisco 89x series and now a Ubiquiti EdgeRouter ER8-Pro. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |