Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PAN-2020 site-to-site with Meraki Cloud managed firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN-2020 site-to-site with Meraki Cloud managed firewall

L3 Networker

Hi all,

Has anyone had success establishing a site-to-site tunnel between an PAN firewall and a Cisco Meraki Cloud managed firewall?  I've been messing with it for most of the day and have not found much luck.  I've added a third party peer on the Meraki, but it doesn't seem to make any connections back to PAN even an attempt to establish the tunnel.  I probably should connect with Cisco support to, but wondered if anyone had any configuration on the PAN side of things.  Thanks for any help!

7 REPLIES 7

Not applicable

Did you ever get this resolved?  I'm going to be doing a site to site with a PA-500 and Meraki firewall.

L7 Applicator

Hello cmateam,

If this issue still persist, you could  share SYSTEM logs (subtype vpn) and ike-manager logs from the PAN firewall, while trying to establish the site-to-site VPN tunnel.


> show log system subtype equal vpn start-time equal YYYY/MM/DD@hh:mm:ss

> tail follow yes mp-log ikemgr.log


Also, share logs related to IPsec from your Cisco Meraki  device.


Thanks






Hi fonasupport,

We do not have known issues with setting up vpn with Meraki Controller/Cloud. If you are unable to to get the tunnels up, share your logs output, that should give us information about errors or issues. We cannot confirm without those information. Thank you.

L3 Networker

I've not pursued this any further as requirements for the project has changed. I spoke more with Cisco Meraki, as it seem there configuration options are less feature rich as the PAN's, and is somewhat confusing, so I've not resolved this.  Sorry.

L4 Transporter

I would hate to see this topic just drop. I am working the same issue where I have a Cisco meraki deployed and establishing a tunnel using a dynamic peer (FQDN). I have not had this connect successfully yet and woundering if any one has resolved this issue. I don't manage the meraki, but what I can tell from online information about the device, this should be a no branier. Anyone have any updates?

What si your ike logs suggests?

 

tail lines 100 mp-log ikemgr.log

An old thread, but I'm experiencing the exact same problem - this is the output from my log:

 

2018-06-07 16:32:11.297 +1000 [INFO]: { 9: 19}: IPsec-SA request for <DESTINATION> queued since no phase1 found
2018-06-07 16:32:11.298 +1000 [PNTF]: { 9: }: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====
====> Initiated SA: <SOURCE>[500]-<DESTINATION>[500] cookie:2570f4631d87c873:0000000000000000 <====
2018-06-07 16:32:11.327 +1000 [PNTF]: { 9: }: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====
====> Established SA: <SOURCE>[500]-<DESTINATION>[500] cookie:2570f4631d87c873:875eb7c41d1afddf lifetime 28800 Sec <====
2018-06-07 16:32:11.333 +1000 [PNTF]: { 9: 19}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: <SOURCE>[500]-<DESTINATION>[500] message id:0xA7357297 <====
2018-06-07 16:32:41.013 +1000 [PNTF]: { : 19}: ====> PHASE-2 NEGOTIATION FAILED AS INITIATOR, (QUICK MODE) <====
====> Failed SA: <SOURCE>[500]-<DESTINATION>[500] message id:0xA7357297 <==== Due to negotiation timeout.
2018-06-07 16:32:41.675 +1000 [PNTF]: { 9: 19}: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====
====> Initiated SA: <SOURCE>[500]-<DESTINATION>[500] message id:0x08FEB477 <====

 

Anybody have any ideas on how to get this working?

 

Let me know

 

M

  • 8177 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!