Error 56: The Cisco Systems, Inc. VPN Service has not been started. Please start this service and try again. Of course the service is started; so that's not very helpful. It's been working for years (two years), but today i go to use it and it's borken. 6) Then change ownership of “C: Program Files (x86) Cisco Systems VPN Client” on “Users” and give Full Control for “Users”. 7) Resume the installation process and it finishes successfully.
Many enterprise networks have existing MPLS circuits that connect locations. However if the MPLS goes down, the connection to a remote location is lost. MX Security Appliances can be placed in these networks to dynamically fail over to a VPN connection via a secondary Internet connection. This article describes how the Cisco Meraki Cloud manages the VPN tunnel based on the status of the Internet uplinks, and will illustrate the complete flow of traffic when the VPN is properly enabled and functioning.
General Network Design and Considerations
There are a few high level concepts to mention before getting into the details of network design:
- The MX at the branch location must use the Internet connection of HQ to send its management traffic to the Cloud while the MPLS is in use. With this in mind, the MPLS routers at the branch locations must have a route for Internet bound traffic. For client devices, you can use Flow preferences on the Branch MX to direct Internet bound traffic out the ISP at the branch.
- MXes need to form a VPN over the MPLS connection because unsolicited inbound traffic is dropped. VPN between the two sites resolves this issue.
- If the MPLS fails, the Branch MX will switch to its secondary Internet connection and the MXes will establish a tunnel over VPN.
MPLS Setup in Detail
Diagram of traffic flow when VPN is established over the MPLS Circuit.
Detailing the Flow of VPN Traffic
- Host at Branch location wants to talk to host at HQ.
- SRC IP 172.16.0.10 > DST IP 10.0.5.20.
- Host routes traffic to its default Gateway (Branch MX).
- Branch MX has a VPN tunnel built for that remote Subnet (10.0.5.0/24) thanks to the knowledge of the Cloud.
- Data is encapsulated and sent over the VPN tunnel to the HQ MX in Concentrator Mode.
- MX Concentrator decapsulates the packet and delivers it to its DST IP (10.0.5.20).
- HQ client computer (10.0.5.20) responds to the packet and sends it to its default gateway (HQ Firewall), since it doesn't know about the location of the Branch network.
- HQ Firewall receives the packet and knows that it must route all traffic with a DST network of 172.16.0.0/24 back to the MX Concentrator.
- You need a static route pointing all Remote networks to the MX Concentrator. Example Cisco IOS route statement: ip route 172.16.0.0 255.255.255.0 10.0.5.254.
- The MX concentrator has a tunnel established for the network ID of 172.16.0.0/24, so it encapsulates the traffic and sends it to the Branch MX.
- The Branch MX decapsulates the packet and delivers it to the DST host (172.16.0.10).
- This communication works the same way whether the MXes communicate over the MPLS or over their individual Internet connections.
Cisco Meraki VPN Registry
When the MX devices report to the Dashboard, the Dashboard records both the SRC IP address of the traffic and the Interface IP of the MX. Sometimes these addresses do not match. This is common when the Device is placed in 1-armed VPN Concentrator Mode. This means that the MX has a private IP address, and VPN traffic is forwarded to the hardware for encapsulation.
Below is a screenshot of the Security & SD-WAN > Monitor > Appliance status > Uplink page. Notice that the WAN IP is different from the Public IP address.
In the diagram above, the Branch MX is routing all traffic over the MPLS to the HQ firewall. The Dashboard bound traffic has the same SRC IP address (230.45.122.56) as the HQ MX Concentrator. However, the IP addresses of the Interfaces (10.0.5.254 and 192.168.1.2) are both local to their network, and those addresses are reported to the Dashboard as well.
Below is an example of VPN Registry and the IP addresses that the Cloud records.
In this example, the Dashboard knows that the two devices can’t form a VPN Tunnel through the same SRC IP address, so it will try the IP addresses of the Interfaces. The routing through the MPLS allows the MX devices to communicate using these Private IP addresses, and the tunnel is dynamically established.
Failover to Secondary ISP when MPLS Circuit is Not Available
If the MPLS goes down, the Branch MX will know that it lost connection to the Cloud and will fail over to its backup ISP connection. Once the MX is communicating with the Cloud again, the registry entry is updated.
Below is an example of the VPN Registry now that the Branch is communicating to the Cloud from a different public IP address.
The MX Concentrator will now establish the VPN to the Public IP address of the Branch MX.
Flow Preferences
Some users prefer to send Internet bound traffic out the secondary Internet connection at the branch location. You can add Flow Preferences under Security & SD-WAN >Configure > SD-WAN & traffic shaping. The MX will route the traffic according the most specific route. Since the VPN routes are more specific than the route of 0.0.0.0/0, the VPN traffic will go out the VPN Interface.
Below is a screenshot of Flow preferences that facilitate the desired traffic flow:
MX Site-to-site VPN allows remote sites to dynamically fail over to back up Internet Connections when an MPLS connection becomes unavailable. This can happen automatically since the MX harnesses the information that the Cloud knows about the devices.
Additional Resources
For a configuration that allows an existing MPLS link to fail-over to a site-to-site VPN connection, please refer to our documentation onMPLS failover to site-to-site VPN.
Table Of Contents
VPN Troubleshooting
Cisco SDM can troubleshoot VPN connections that you have configured. Cisco SDM reports the success or failure of the connection tests, and when tests have failed, recommends actions that you can take to correct connection problems.
The following link provides information on VPN troubleshooting using the CLI.
VPN Troubleshooting
This window appear when you are troubleshooting a site-to-site VPN, a GRE over IPSec tunnel, an Easy VPN remote connection, or an Easy VPN server connection.
Note VPN Troubleshooting will not troubleshoot more than two peers for site-to-site VPN, GRE over IPsec, or Easy VPN client connections.
Tunnel Details
This box provides the VPN tunnel details.
Interface
Interface to which the VPN tunnel is configured.
Peer
The IP address or host name of the devices at the other end of the VPN connection.
Summary
Click this button if you want to view the summarized troubleshooting information.
Details
Click this button if you want to view the detailed troubleshooting information.
Activity
This column displays the troubleshooting activities.
Status
Displays the status of each troubleshooting activity by the following icons and text alerts:
The connection is up. |
The connection is down. |
Test is successful. |
Test failed. |
Failure Reason(s)
This box provides the possible reason(s) for the VPN tunnel failure.
Recommended action(s)
This box provides a possible action/solution to rectify the problem.
Close Button
Click this button to close the window.
Test Specific Client Button
This button is enabled if you are testing connections for an Easy VPN server configured on the router. Click this button and specify the client to which you want to test connectivity.
This button is disabled in the following circumstances:
•The Basic testing is not done or has not completed successfully.
•The IOS image does not support the required debugging commands.
•The view used to launch Cisco SDM does not have root privileges.
What Do You Want to Do?
Do this: | |
|---|---|
Troubleshoot the VPN connection. | Click Start button. When test is running, Start button label will change to Stop. You have option to abort the troubleshooting while test is in progress. |
Save the test report. | Click Save Report button to save the test report in HTML format. This button is disabled when the test is in progress. |
VPN Troubleshooting: Specify Easy VPN Client
This window allows you to specify the Easy VPN client which you want to debug.
IP Address
Enter IP address of Easy VPN client you want to debug.
Listen for request for X minutes
Enter the time duration for which Easy VPN Server has to listen to requests from Easy VPN client.
Continue Button
After selecting the traffic generation type you want, click this button to continue testing.
Close Button
Click this button to close the window.
VPN Troubleshooting: Generate Traffic
This window allows you to generate site-to-site VPN or Easy VPN traffic for debugging. You can allow Cisco SDM to generate VPN traffic or you can generate VPN traffic yourself.
VPN traffic on this connection is defined as
This area lists current VPN traffic on the interface.
Action
This column denotes whether the type of traffic is allowed in the interface.
Source
Source IP address.
Destination
Destination IP address.
Service
This column lists the type of traffic on the interface.
Log
This column indicates whether logging is enabled for this traffic.
Attributes
Any additional attributes defined.
Have SDM generate VPN Traffic
Select this option if you want Cisco SDM to generate VPN traffic on the interface for debugging.
Note Cisco SDM will not generate VPN traffic when the VPN tunnel traffic is from non-IP based Access Control List (ACL) or when the applied and current CLI View is not root view.
Enter the IP address of a host in the source network
Enter the host IP address in the source network.
Enter the IP address of a host in the destination network
Enter the host IP address in the destination network.
I will generate VPN traffic from the source network
Select this option if you want to generate VPN traffic from the source network.
Wait interval time
Enter the amount of time in seconds that the Easy VPN Server is to wait for you to generate source traffic. Be sure to give yourself enough time to switch to other systems to generate traffic.
Cisco Global Vpn Client Download
Continue Button
After selecting the traffic generation type you want, click this button to continue testing.
Close Button
Click this button to close the window.
Mcafee Vpn Service
VPN Troubleshooting: Generate GRE Traffic
This screen appears if you are generating GRE over IPSec traffic.
Have SDM generate VPN Traffic
Select this option if you want Cisco SDM to generate VPN traffic on the interface for debugging.
Enter the remote tunnel IP address
Enter the IP address of the remote GRE tunnel. Do not use the address of the remote interface.
I will generate VPN traffic from the source network
Select this option if you want to generate VPN traffic from the source network.
Wait interval time
Cisco Systems Inc Vpn Service Missing Data
Enter the amount of time in seconds that the Easy VPN Server is to wait for you to generate source traffic. Be sure to give yourself enough time to switch to other systems to generate traffic.
Continue Button
After selecting the traffic generation type you want, click this button to continue testing.
Close Button
Click this button to close the window.
Cisco SDM Warning: SDM will enable router debugs...
This window appears when Cisco SDM is ready to begin advanced troubleshooting. Advanced troubleshooting involves delivering debug commands to the router waiting for results to report, and then removing the debug commands so that router performance is not further affected.
This message is displayed because this process can take several minutes and may affect router performance.