03-24-2014 05:05 PM
Hi all,
Has anyone had success establishing a site-to-site tunnel between an PAN firewall and a Cisco Meraki Cloud managed firewall? I've been messing with it for most of the day and have not found much luck. I've added a third party peer on the Meraki, but it doesn't seem to make any connections back to PAN even an attempt to establish the tunnel. I probably should connect with Cisco support to, but wondered if anyone had any configuration on the PAN side of things. Thanks for any help!
09-23-2014 01:19 PM
Did you ever get this resolved? I'm going to be doing a site to site with a PA-500 and Meraki firewall.
09-23-2014 01:30 PM
Hello cmateam,
If this issue still persist, you could share SYSTEM logs (subtype vpn) and ike-manager logs from the PAN firewall, while trying to establish the site-to-site VPN tunnel.
> show log system subtype equal vpn start-time equal YYYY/MM/DD@hh:mm:ss
> tail follow yes mp-log ikemgr.log
Also, share logs related to IPsec from your Cisco Meraki device.
Thanks
09-23-2014 01:45 PM
Hi fonasupport,
We do not have known issues with setting up vpn with Meraki Controller/Cloud. If you are unable to to get the tunnels up, share your logs output, that should give us information about errors or issues. We cannot confirm without those information. Thank you.
09-30-2014 08:03 AM
I've not pursued this any further as requirements for the project has changed. I spoke more with Cisco Meraki, as it seem there configuration options are less feature rich as the PAN's, and is somewhat confusing, so I've not resolved this. Sorry.
10-13-2016 08:25 AM - edited 10-13-2016 08:27 AM
I would hate to see this topic just drop. I am working the same issue where I have a Cisco meraki deployed and establishing a tunnel using a dynamic peer (FQDN). I have not had this connect successfully yet and woundering if any one has resolved this issue. I don't manage the meraki, but what I can tell from online information about the device, this should be a no branier. Anyone have any updates?
10-13-2016 08:33 AM
What si your ike logs suggests?
> tail lines 100 mp-log ikemgr.log
06-06-2018 11:37 PM
An old thread, but I'm experiencing the exact same problem - this is the output from my log:
2018-06-07 16:32:11.297 +1000 [INFO]: { 9: 19}: IPsec-SA request for <DESTINATION> queued since no phase1 found
2018-06-07 16:32:11.298 +1000 [PNTF]: { 9: }: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: <SOURCE>[500]-<DESTINATION>[500] cookie:2570f4631d87c873:0000000000000000 <====
2018-06-07 16:32:11.327 +1000 [PNTF]: { 9: }: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: <SOURCE>[500]-<DESTINATION>[500] cookie:2570f4631d87c873:875eb7c41d1afddf lifetime 28800 Sec <====
2018-06-07 16:32:11.333 +1000 [PNTF]: { 9: 19}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: <SOURCE>[500]-<DESTINATION>[500] message id:0xA7357297 <====
2018-06-07 16:32:41.013 +1000 [PNTF]: { : 19}: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: <SOURCE>[500]-<DESTINATION>[500] message id:0xA7357297 <==== Due to negotiation timeout.
2018-06-07 16:32:41.675 +1000 [PNTF]: { 9: 19}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: <SOURCE>[500]-<DESTINATION>[500] message id:0x08FEB477 <====
Anybody have any ideas on how to get this working?
Let me know
M
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
