Meraki Community

MarcW

I tried to make the subject all the key details. I have a successful MX85 to TZ VPN connection on my primary ISP. The HA failover VPN works because I set up a VIP for the redundant MX85's.

However, when I fail test the ISP, the internet is accessible, but the tunnels never re-establish over the VPN. I have the 2nd IPSEC on the other end set to what becomes the new Public IP on the MX85 backup. I waited a good 10-15 minutes to see if the tunnel would ever re-connect. No joy.

I am sure there is some fundamental step I am missing, but it eludes me. Reading is fundamental, but apparently firewalls are not.

alemabrahao

Did you do a packet capture to see if you are actually trying to establish the tunnel with the VIP's IP?

I've seen cases where MX tried to use the interface IP instead of the VIP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ww

Is 5g a seperate router connected to mx wan2 or is it integrated into one combined isp router?

Is there any nat/cgnat on the 5g router?

PhilipDAth

I'm guessing the remote party has a static IP address configured as their peer address for you.

I'm guessing your 5G connection has a dynamic IP address?

If the above is right - can you see why this will never work?

Meraki Community

MX85 to other brand firewall - VPN does not sustain with failover to backup Verizon 5G backup ISP

MX85 to other brand firewall - VPN does not sustain with failover to backup Verizon 5G backup ISP