Re: non-Meraki VPN peer is not establishing with zScaler (2024)

Hello ,

I'm trying to setup non-Meraki ipsec peer with zscaler.

My MX68 device is directly connected to public network. I can successfully ping zscaler public IP from MX68. MX68 is not generating any kind of traffic to zscaler (checked via packet capture on MX68). The only thing which I found in Event Log is

Event Type: Non-Meraki / Client VPN negotiation

Event Details: msg: FIPS mode disabled

Here is the custom setting in non-meraki vpn provided to us by zscaler team.

Here is the result of capture.

Here is the ping response from MX68 to zScaler public IP.

I tried to find solution but no success, could you advice me what I can do?

Best regards,

Omar

Solved!Go to solution.

Reply

View solution in original post

Follow these recommendations:

• Security & SD-WAN -> Configure: Site-to-site VPN ->Non Meraki VPN settings:

  • Preshared secret must be greater than 14 characters
  • Authentication cannot be MD5
  • Diffie-Hellman Group must be 14
  • Phase 2 encryption cannot be NULL
  • PFS can be configured to be eitheroff or 14

0Kudos

1. Preshared secret must be greater than 14 characters

Yes in our case preshared key is 16 characters.

2. Authentication cannot be MD5

Yes we are not using MD5

3. Diffie-Hellman Group must be 14

I have also check with "Diffie-Hellman Group must be 14". Same issue.

4. Phase 2 encryption cannot be NULL

Yes, In our case Phase2 encryption is AES256, AES192,AES128.

5. PFS can be configured to be either off or 14

In our case it is off. I have also check this with 14.

I have found this above setting from Meraki documentation and i have implemented this but or creation of non-meraki vpn peer, event log message is same. msg: FIPS mode disabled

0Kudos

Is your MXbehind a CG-NAT?

0Kudos

0Kudos

And alsonot even the first and last character of the password can be a special character.

0Kudos

In our case credential does not contain any special character.

first and last character are lowercase alphabet

0Kudos

Have you tried it?https://community.meraki.com/t5/Security-SD-WAN/IPSEC-Tunnel-withZScaler/m-p/53769

0Kudos

0Kudos

Do you have any local subnet set to vpn on?

https://help.cloudi-fi.com/en/articles/3177550-cisco-meraki-mx-routing-tunnels-deployment

0Kudos

Another thing i would like to add that below is the configuration of ours non-meraki vpn with zScaler. (peer not established)

While here is the configuration of another meraki dashboard of same customer a another country which is working fine.

Both non-meraki settings have its own credentials.

Also note that both MX have same version.

0Kudos

Open a support case.

0Kudos

0Kudos

You've tried all possible options, maybe you can try with a different version.

0Kudos

You can try changing the phase 2 lifetime to 3600s.

0Kudos

0Kudos

Do you see anything in the MX event log on Site-to-Site VPN negotiation?

0Kudos

In Event logs I only found this message. And this event only occurs if i delete peer and create new one. Changing a already created peer does not generate any log.

0Kudos

If you do a pcap on the MX internet interface, you should be seeing packets on udp/500 and udp/4500, as far as I recall.

0Kudos

But in pcap there is not a single packet for UDP500 or to destination zscaler peer ip.

I beleive MX68 is not able to generate any ipsec messages and event log is FIPS mode disable.

0Kudos

Dear All,

thanks for your valuable feedback and suggestions. Issue got resolved after contacting call support from Meraki team.

Here is the final settings of non-meraki vpn peer after that issue resolved in our case.

I thing i must like to add that the peer does not go up until we forward from traffic. That is one thing we have observed.

e.g.

Here is the case that I can see that the route is active in routing table for non-Merkai VPN peer.

But when we see VPN status we found out that peer is down.

We thought in actual the peer is down. But when we send some icmp packet to zscaler then VPN status shows peer is up.

VPN status after icmp packet

We have observed that they are few drop for icmp packer at very start but after that ping observed normal with out any drops and peer shows up.

Another thing we have observed that if there is no traffic on the non-meraki vpn peer then VPN status again show red or peer down after few hours but if we send some traffic or icmp ping then again it comes to green (VPN peer up).

This is all we have observed so far.

0Kudos