IPsec tunnel issue (ASA and Meraki)

rabusiak · ‎01-17-2023

Hi, I need some advice on what might go wrong with my tunnel

I established this tunnel like 6 month ago and it was fine until now. It's IKEv1 tunnel between vMX in Azure (my nva) and some 3rd party virtual ASA device. Tunnel is up but I can reach remote subnets only from one subnet on my side.
All my Azure resources are in 10.3.0.0/16 subnet.
On vMX I have also Client VPN configured with 10.10.10.0/24 subnet.
Since few days I can reach remote networks behind the tunnel only from 10.3.0.0/16 subnet. According to 3rd party support it's SA in not building up with 10.10.10.0/24 network, because there is no traffic from this subnet towards their vpn box. When they ping something from their vpn box in my client vpn subnet SA is up and I'm getting access from VPN client subnet for some time until:
Jan 16 14:08:24 vpn %ASA-5-713050: Group = [vmxpublicip] IP = [vmxpublicip], Connection terminated for peer [vmxpublicip]. Reason: IPSec SA Idle Timeout Remote Proxy [remotesubnet], Local Proxy 10.10.10.0
I had 2 remote support calls with Meraki guys and they were checking backend logs. According to them traffic from 10.10.10.0/24 subnet is successfully routed through the tunnel but it gets no responses back.
They guys from ASA told me that they are responders:
IKE Peer:[vmxpublicip]
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
and since January 10th they don't see in the tunnel traffic logs any connections from 10.10.10.0/24 subnet and they're saying no configuration changes were done on their end recently. Who is lying to me?

marce1000 · ‎01-17-2023

- You may find this document useful : https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Cisco_ASA_Site-to-site_VPN_Setup

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '