Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4305
Views
20
Helpful
15
Replies

S2S VPN (ASA <> Meraki) stopped working - need help identifying reason

Go to solution
mike_t2
Level 1
Level 1

‎07-10-2022 07:56 PM

Hi All

I have a S2S VPN from an ASA 5506 to a Meraki MX which was working fine but now has stopped.  The date when it stopped was roughly when the ISP made some changes to their router at the Meraki end and so that is where I suspect the issue lies, but I would like some help to identify what the issue may be as the ISP is saying their config is fine (!). 

This is the only S2S VPN in the network, so I can't test from another ASA, but I did test a Client VPN.  When I started investigating, I set up a client VPN to the Meraki which did not work.  The ISP then opened up ports 500 and 4500 and the clien VPN then worked.

For the S2S VPN, usng sho cry isa sa I can see that it gets to MM_ACTIVE, but sho cry ipsec sa, shows There are no ipsec sas.

Looking at the ASA with ASDM, I can see the VPN come up but Rx bytes and Tx bytes always stay at 0 (I assume because there is no ipsec sa?)

Also when the VPN is at MM_ACTIVE state and I do a packet trace, I get a (acl-drop) Flow is denied by configured rule,

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP

Another thing to mention is that the VPN is using NAT traversal as my firewalls have been given private addresses, and the ISP devices have the public addresses.

Can anyone help in guiding me to find what the issue might be, or help me collect information to put to the ISP so that they can fix the issue (if it is indeed an issue in their network)

Thanks in advance

Mike 

Labels:
0 Helpful
15 Replies 15

Go to solution
mike_t2
Level 1
Level 1

‎08-24-2022 08:25 PM

For your info, I finally maanged to get this finally resolved with the help of Meraki support (and lots of helpful assistance from Sheraz.Salim).  So I thought I'd post the solution here in case anyone else has this issue.

The issue was that NAT Detection and/or NAT traversal was not working properly and the Meraki was not accepting the request from the ASA becuase of a mismatch (both the Meraki and the ASA are behind ISP routers which are doing NAT).  The solution was to put the private IP address of the ASA (the ASA outside interface) into the "Remote ID" field in the Meraki VPN config, and then it worked.

Mike

0 Helpful
Customers Also Viewed These Support Documents