Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1656
Views
0
Helpful
5
Replies

IPSEC VPN ASR1001x and Meraki

inigoed
Level 1
Level 1

‎11-12-2019 01:21 PM - edited ‎02-21-2020 09:48 PM

Does anyone have any experience in bringing up a VPN connection between an ASR1001-X and Meraki?  We're unable to establish the VPN tunnel if traffic is initiated from our side (ASR1001-X) but the tunnel comes up if traffic is initiated from the Meraki side. 

 

A few notes:

- When we try to initiate traffic, we don't see a response from the Meraki and the IKE requests eventually die out.

- A ping from the Meraki side to the ASR peer IP brings up the tunnel.

- If we try to bring down the tunnel, the Meraki will re-establish the tunnel.

- DPD is enabled

- Once the phase 1 lifetime expires (24 hours), the tunnel comes down completely despite having an "ip sla" process on the ASR running a ping to a server on the Meraki side.

 

Thanks in advance!

- Ed

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎11-12-2019 01:30 PM

Hi,
Do you have PFS configured on both devices?
Can you provide the configuration of the ASR and some debugs of when it fails to establish a VPN
0 Helpful

inigoed
Level 1
Level 1
In response to Rob Ingram

‎11-12-2019 01:39 PM

*Oct 29 15:19:03.181 UTC: ISAKMP: (0):SA request profile is PRO_XXXX
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):Created a peer struct for 40.71.228.241, peer port 500
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):New peer created peer = 0x7F7D7D633F58 peer_handle = 0x8002C842
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):Locking peer struct 0x7F7D7D633F58, refcount 1 for isakmp_initiator
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):local port 500, remote port 500
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):set new node 0 to QM_IDLE
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):Find a dup sa in the avl tree during calling isadb_insert sa = 7F7D7E2FDD30
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):Found ADDRESS key in keyring KR-XXXX_key
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):IKE->PKI Get configured TrustPoints state (I) MM_NO_STATE (peer 40.71.228.241)
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):PKI->IKE Got configured TrustPoints state (I) MM_NO_STATE (peer 40.71.228.241)
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):growing send buffer from 1024 to 3072
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1

*Oct 29 15:19:03.181 UTC: ISAKMP: (0):beginning Main Mode exchange
*Oct 29 15:19:03.181 UTC: ISAKMP-PAK: (0):sending packet to 40.71.228.241 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 29 15:19:03.181 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.

*Oct 29 15:19:13.181 UTC: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Oct 29 15:19:13.181 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Oct 29 15:19:13.181 UTC: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Oct 29 15:19:13.181 UTC: ISAKMP-PAK: (0):sending packet to 40.71.228.241 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 29 15:19:13.181 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.

*Oct 29 15:19:23.181 UTC: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Oct 29 15:19:23.182 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Oct 29 15:19:23.182 UTC: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Oct 29 15:19:23.182 UTC: ISAKMP-PAK: (0):sending packet to 40.71.228.241 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 29 15:19:23.182 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.

*Oct 29 15:19:33.181 UTC: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 199.52.101.1, remote 40.71.228.241)
*Oct 29 15:19:33.182 UTC: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Oct 29 15:19:33.183 UTC: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
*Oct 29 15:19:33.183 UTC: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Oct 29 15:19:33.183 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Oct 29 15:19:33.183 UTC: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Oct 29 15:19:33.183 UTC: ISAKMP-PAK: (0):sending packet to 40.71.228.241 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 29 15:19:33.183 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.

*Oct 29 15:19:42.961 UTC: ISAKMP: (0):purging SA., sa=7F7D7F3D7BA0, delme=7F7D7F3D7BA0
*Oct 29 15:19:43.183 UTC: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Oct 29 15:19:43.183 UTC: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Oct 29 15:19:43.183 UTC: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Oct 29 15:19:43.183 UTC: ISAKMP-PAK: (0):sending packet to 40.71.228.241 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 29 15:19:43.183 UTC: ISAKMP: (0):Sending an IKE IPv4 Packet.

*Oct 29 15:20:29.729 UTC: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list

*Oct 29 15:20:42.134 UTC: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list

*Oct 29 15:20:03.184 UTC: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Oct 29 15:20:03.184 UTC: ISAKMP: (0):peer does not do paranoid keepalives.
*Oct 29 15:20:03.184 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 40.71.228.241)
*Oct 29 15:20:03.184 UTC: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 40.71.228.241)
*Oct 29 15:20:03.184 UTC: ISAKMP: (0):Unlocking peer struct 0x7F7D7D633F58 for isadb_mark_sa_deleted(), count 0
*Oct 29 15:20:03.184 UTC: ISAKMP: (0):Deleting peer node by peer_reap for 40.71.228.241: 7F7D7D633F58
*Oct 29 15:20:03.188 UTC: ISAKMP: (0):deleting node 2091495314 error FALSE reason "IKE deleted"
*Oct 29 15:20:03.188 UTC: ISAKMP: (0):deleting node 2980217384 error FALSE reason "IKE deleted"
*Oct 29 15:20:03.188 UTC: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 29 15:20:03.188 UTC: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
0 Helpful

Rob Ingram
VIP
VIP
In response to inigoed

‎11-12-2019 01:48 PM

So the ASR is retransmitting MM1 because the Meraki does not appear to respond. Is the Meraki only configured to initate the VPN only and not to respond?

What about the answer to my question? And the configuration?
0 Helpful

inigoed
Level 1
Level 1
In response to Rob Ingram

‎11-12-2019 02:09 PM

ip vrf XXXX
rd 65046:34

------------ IKEV1 ---------------
crypto isakmp policy 27
encr aes 256
authentication pre-share
group 5
lifetime 86400

crypto keyring KR-XXXX_key
local-address 199.52.101.1
pre-shared-key address 40.71.228.241 key REMOVED

crypto isakmp profile PRO_XXXX
description XXXX
vrf XXXX
keyring KR-XXXX_key
match identity address 10.222.50.4 255.255.255.255
keepalive 10 retry 5
local-address 199.52.101.1


--------CRYPTO MAP - PHASE 2 (DOUBLE CHECK SEQUENCE NUMBER AND TRANSFORM SET) --------------------

crypto map CM_AGDC 270 ipsec-isakmp
description Tunnel to XXXX
set peer 40.71.228.241
set security-association lifetime seconds 86400
set transform-set TS_AES_SET
set isakmp-profile PRO_XXXX
match address AL_EY-XXXX


---------ENCRYPTION DOMAIN-------------------------

ip access-list extended AL_EY-XXXX
permit ip host 199.49.6.57 10.222.64.0 0.0.0.255

------------VASI INTERFACE---------------------------

interface vasileft33
description XXXX
ip vrf forwarding lan
ip address 10.145.212.129 255.255.255.252
no keepalive
no shut
!
!
interface vasiright33
description XXXX
ip vrf forwarding XXXX
ip address 10.145.212.130 255.255.255.252
ip nat inside
no keepalive
no shut

---------- PUBLIC STATIC ROUTING (Peer IP, Destination Network/Hosts, Destination NAT) ------------------------------------

ip route vrf XXXX 0.0.0.0 0.0.0.0 10.145.212.129
ip route vrf XXXX 40.71.228.241 255.255.255.255 TenGigabitEthernet0/0/0 199.52.101.4 name XXXX_peer
ip route vrf XXXX 10.222.64.0 255.255.255.0 TenGigabitEthernet0/0/0 199.52.101.4 name XXXX_net

------------- NAT POOL ---------------------------

ip nat pool XXXX_pool 199.49.6.57 199.49.6.57 prefix-length 28
ip nat inside source list EY_TO_XXXX_nat pool XXXX_pool vrf XXXX overload

ip access-list extended EY_TO_XXXX_nat
permit ip any 10.141.4.40 0.0.0.7

-------- DESTINATION STATIC NAT ------------------------------------------

ip nat outside source static 10.222.64.138 10.141.4.41 vrf XXXX
ip nat outside source static 10.222.64.145 10.141.4.42 vrf XXXX
ip nat outside source static 10.222.64.148 10.141.4.43 vrf XXXX
ip nat outside source static 10.222.64.192 10.141.4.44 vrf XXXX


-------------------- PRIVATE ROUTING (Destination NAT or Destination Network/Hosts ---------------------
router bgp 65046
address-family ipv4 vrf lan
network 10.141.4.40 mask 255.255.255.248
exit

ip route vrf lan 10.141.4.40 255.255.255.248 10.145.212.130 name XXXX track 157


crypto isakmp policy 27
encr aes 256
authentication pre-share
group 5
lifetime 28800
0 Helpful

Eskil F
Level 1
Level 1

‎12-27-2021 04:50 AM

Did you find any solution to this problem?

0 Helpful
Customers Also Viewed These Support Documents