Site-to-Site VPN between Cisco ASA and Meraki MX: The KB I Wish Meraki Had Written

qwerty_123_

HI,

I never leave replies for anything but this is really helped me out. I have 12 locations with ASAs and couldn't figure out why they kept dropping. Made the changes you mentioned and have had solid tunnels. Meraki really dropped the ball on that tutorial.

Many thanks

NetworkNerd

@qwerty_123_ said in Site-to-Site VPN between Cisco ASA and Meraki MX: The KB I Wish Meraki Had Written:

HI,

I never leave replies for anything but this is really helped me out. I have 12 locations with ASAs and couldn't figure out why they kept dropping. Made the changes you mentioned and have had solid tunnels. Meraki really dropped the ball on that tutorial.

Many thanks

You're most welcome. I'm glad it helped someone else get it solved quicker than the first time I tried.

wirestyle22

@NetworkNerd How reliable has this been for you and what do you have a each site out of curiousity?

NetworkNerd

@wirestyle22 said in Site-to-Site VPN between Cisco ASA and Meraki MX: The KB I Wish Meraki Had Written:

@NetworkNerd How reliable has this been for you and what do you have a each site out of curiousity?

After making the changes here, the tunnel was solid (no issues that I was ever aware of after that). We eventually replaced every ASA with a Meraki MX device (last ASA 5505 swapped out in October / November sometime).

For the purposes of this article, we had a Cisco ASA 5510 on one end and a Meraki MX64 on the other end.

qwerty_123_

@wirestyle22 I am replacing a 5515 at HQ with an MX84. I have 12 locations with 10 ASA 5505s and 2 Peplink devices. I also have a vpn connection from HQ to AWS. I have only had it up for the past couple days but it seems to be holding steady. The taking off of the NAT-T and changing the lifetime.

jakub.wawrzacz-p1

Hi NetworkNerd,

I SIMPLY HAD TO create an account to say BIG THANK YOU for putting this together, so thoroughly and being so pedantic about details (just like me) with all information that one could possibly need. It saved my "bacon" two days ago when setting up S2S VPN between MX84 and ASA5510. I couldn't work out why it doesn't sync. Without your KB I'd have to reschedule an important project so again, thank you. I can only hope you got more of these coming.

NetworkNerd

@jakub-wawrzacz-p1 said in Site-to-Site VPN between Cisco ASA and Meraki MX: The KB I Wish Meraki Had Written:

Hi NetworkNerd,

I SIMPLY HAD TO create an account to say BIG THANK YOU for putting this together, so thoroughly and being so pedantic about details (just like me) with all information that one could possibly need. It saved my "bacon" two days ago when setting up S2S VPN between MX84 and ASA5510. I couldn't work out why it doesn't sync. Without your KB I'd have to reschedule an important project so again, thank you. I can only hope you got more of these coming.

You are most welcome. I'm so glad it helped someone! It was too crazy of a situation not to tell the story. I have more articles if you search for the networknerd blog tag in Mangolassi (https://mangolassi.it/tags/networknerd blog). And, I've recently created my own personal blog at http://blog.thenetworknerd.com that I try to update regularly with different content.

jakub.wawrzacz-p1

@networknerd I will check out the blog as well thank you. Btw: just to give you an update, I had to do 2 more things to get a stable tunnel and that is set the 2nd Phase Lifetime to be lower than the Phase 1 and remove other encryption policies on the ASA. For example, I used for Phase One 3DES, SHA, DH Group 2 and Lifetime 86400 and for Phase 2 I used AES192, SHA, PFS Off and Lifetime 28800. On the ASA side, I disabled the IKev2 and for the Encryption Policy I only left enabled what you see above, plus obviously matched the time to 28800. I got stable tunnel then. Before these changes the tunnel kept dropping.

NetworkNerd

@jakub-wawrzacz-p1 said in Site-to-Site VPN between Cisco ASA and Meraki MX: The KB I Wish Meraki Had Written:

@networknerd I will check out the blog as well thank you. Btw: just to give you an update, I had to do 2 more things to get a stable tunnel and that is set the 2nd Phase Lifetime to be lower than the Phase 1 and remove other encryption policies on the ASA. For example, I used for Phase One 3DES, SHA, DH Group 2 and Lifetime 86400 and for Phase 2 I used AES192, SHA, PFS Off and Lifetime 28800. On the ASA side, I disabled the IKev2 and for the Encryption Policy I only left enabled what you see above, plus obviously matched the time to 28800. I got stable tunnel then. Before these changes the tunnel kept dropping.

That's great information to have. Thanks for sharing!

jt1001001

Old post but just had to do this for an implementation we are rolling out. Thanks!