ASA and Meraki MX site to site

leadtheway
leadtheway used Ask the Experts™
on
Having an issue with a meraki and an ASA site to site.  When i first built tunnel it showed up, both green on meraki and showing MM_active in the crypto sa on the ASA.  But Still can't talk to devices behind the asa.  And periodically when I check asa vpn status it shows red, but when i try to ping something behind the asa i get 100% loss but the tunnel will then show green.  Not sure if its an issue with meraki and using summarized subnets or something else.  Anyone have experience with this?Capture2.PNG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ensure the ASA has appropriate NAT exclusions in place to ensure that traffic outbound over the VPN maintains it's local IP addressing.
When the tunnel is down, if you attempt to ping something behind the meraki from something behind the ASA does the tunnel come up?

Author

Commented:
yes, the tunnel comes up..but still get 100% packet loss
Do the ASA tunnel stats show any transmitted/received packets? - and does ASA's packet tracer show that your test traffic would be sent over the tunnel?
Is there any device between the ASA and meraki that could be blocking IPSEC tunnels ( only allowing the UDP negotiation )

Author

Commented:
I figured it out, the SA lifetime was mismatched

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial