Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SA520 to Meraki Z1 VPN Some IPs

We have a SA520 at the Main Site with a UC320 Unified Call Manager

A Meraki Z1 at the remote site with a SPA525G Phone.

VPN connectivity is established site to site, but for some reason any IP between 192.168.0.2 and .9 on the main site can't be accessed over the VPN. I can't ping the IPs nor access the web interface. I'm trying to setup the phone to the UC320 which is at 192.168.0.2

The remote site is on 192.168.1.x anything outside of .2-.9 works fine including the SA520 at .1, but none in the range listed.

Ideas?

12 REPLIES

SA520 to Meraki Z1 VPN Some IPs

Edrick, can you provide more details, please?

- what is the ip and subnet of your UC320?

- what is the IP and subnet of the Z1?

- confirm you are using ipsec VPN and not Meraki cloud VPN

I suspect you may need to add a static routes on the SA520 and on the Z1 to reach each other.

-- please remember to rate and mark answered helpful posts --

-- please remember to rate and mark answered helpful posts --
New Member

SA520 to Meraki Z1 VPN Some IPs

The Meraki and the SA520 network talk just fine, it's only IPs on the SA520 Side of 192.168.0.2 to 192.168.0.9 that aren't available. Every other IP is fine.

Main Network SA520 Side

192.168.0.x/255.255.255.0

Meraki Side

192.168.1.x/255.255.255.0

SA520 to Meraki Z1 VPN Some IPs

I think you will need to share more details of your configs then.  On the Z1 side under site-to-site vpn any site-to-site firewall entries?  Personally, I have never touched SA520, but have installed many Meraki boxes.  Meraki has very good support you may wish to engage as well, but they wont be much help on the SA520 side I suspect.

-- please remember to rate and mark answered helpful posts --

-- please remember to rate and mark answered helpful posts --
New Member

SA520 to Meraki Z1 VPN Some IPs

No firewall rules, I'm trying to get the Client VPN working with the SA520, so I can connect my laptop direct to the SA520 VPN and see if I can access it that way to verify where the issue might lay. But as usual Cisco Small Business products were complete crap. Thankgod Meraki was bought and they moved to them. Because this SA appliance has been nothing but garbage especially their web interface.

So no, no firewall rules on the Meraki, can't ping from the Meraki to the 192.168.0.2 address, but I can ping from the SA520 to the UC320 .2 address, also nothing I can see in the logs. I did a dump on my computer where I try the ping from and all i see is the ping request but no response and nothing shows up on the other end.

SA520 to Meraki Z1 VPN Some IPs

I feel you on the first part.  I had the unfortunate experience of trying an ISA550 before I got the MX60.  Now I have a small network with an MX60 and a few Z1s and am very happy with mangement and monitoring capabilites not to mention great support when I have needed it.  I am also a Cisco reseller and would never have sold the ISA or SA to my customers but now am selling plenty of Meraki.

Anyhow, I still suggest you show more details of your configs and your network and you will be more likely to get some good advice here.  You may try using the packet capture on the Z1 to capture on the VPN interface and confirm traffic to 192.168.0.2 is at least getting on the tunnel.

-- please remember to rate and mark answered helpful posts --

-- please remember to rate and mark answered helpful posts --
New Member

SA520 to Meraki Z1 VPN Some IPs

I finally just got the Client VPN connection to work, I verified that even going through just the SA520 Client to Router (OS X to SA520 VPN) that even through that method it still wont access the 192.168.0.2 so it seems to be an issue on the SA520 side.

So it seems we need to work on troubleshooting the SA520 Side so here's some details about the Site to Site VPN config on the SA520 Side.

IKE Policy Configuration:

Policy Name: RemoteOffice

Direction / Type: Both

Exchange Mode: Main

Identifier Type: Remote WAN IP

Identifer: IP of Remote Meraki Z1 Public IP

IKE SA Parameters:

Encryption Algorithm: 3DES

Authentication Algorithm: SHA-1

Authentication Method: Pre-shared key

Pre-shared key: the key

Diffie-Hellman (DH) Group: Group 2 (1024 bit)

SA-Lifetime (sec) 28800

Enable Dead Peer Detection: unchecked

Detection Period: 10

Reconnect after failure count: 3

XAUTH Configuration: None

Authentication Type: User Database

User Name:

Password:

VPN Policies:

Enabled

Name: Remote Office

Backup Tunnel: None

Type: Auto Policy

Local: Any (Also had tried using subnet with the 192.168.0.0/24)

Remote: 192.168.1.0/255.255.255.0

Auth: SHA-1

Encr: 3DES

New Member

Bueller,  Bueller? Anyone?

Bueller,  Bueller? Anyone?

SA520 to Meraki Z1 VPN Some IPs

What is default gateway of 192.168.0.2?  I guess it should be 192.168.0.1, but if it is something else or blank it would explain the behavior you describe..

-- please remember to rate and mark answered helpful posts --

-- please remember to rate and mark answered helpful posts --
New Member

SA520 to Meraki Z1 VPN Some IPs

It's 192.168.0.1 and again this isn't just the one .2 IP Of the call manager it's anything between .2 and .9 over the VPN either site to site or site to client

New Member

SA520 to Meraki Z1 VPN Some IPs

Any other ideas anyone?

New Member

So shall I just throw this

So shall I just throw this SA520 away? It seems no one has any ideas and Cisco doesn't provide support for it. 

New Member

This forum seems to have a

This forum seems to have a horrible layout for responding, I post a respond and it doesn't show up or it shows up somewhere else, what is it cisco with so many different logins and such a poor design with your website?

 

So it seems I should just throw this SA out and never buy cisco again as I haven't been able to get any further with this issue and Cisco isn't providing support. 

321
Views
0
Helpful
12
Replies