3rd party VPN and cellular failover

brad1028
Here to help

3rd party VPN and cellular failover

We have a mix of MX67C, and Z3C, and a primary VPN built to a Juniper SSG Firewall.  We are looking to enable the celluar failover.  Is the celluar IP reachable to maintain two VPN tunnels and failover the routing to celluar when the primary fails?

6 REPLIES 6
NolanHerring
Kind of a big deal

The entire purpose of the cellular is for fail-over
It is my understanding though that the tunnel will only become active over the cellular once the primary goes down, by design to minimize bandwidth utilization on the cellular since those are usually pay-by-the-byte service.
Nolan Herring | nolanwifi.com
TwitterLinkedIn

So to set up and test I will have to pull the primary WAN and set it up over the failover.  On the Meraki side the profile would not change, it is the peer (Juniper) that will have two profiles, one to the Meraki Primary WAN and one to the LTE IP address.

 

 

Oh I think I mis-read the initial thread. I thought we were talking AutoVPN with Meraki devices (in which case its all automatic), and I sort of skimmed over the whole Juniper part lol.

I'll let one of the other guys on here with more know-how to respond lol >.<
Nolan Herring | nolanwifi.com
TwitterLinkedIn
cwf
Getting noticed

If you are configuring the Juniper using an IP address you will need to obtain a static IP for your cellular device.

PhilipDAth
Kind of a big deal
Kind of a big deal

This is likely to be nasty because the Juniper could see the VPN come in from different peer IP addresses.  My guess is you wont get this working.

 

You'll need to be able to configure the Juniper to terminate the VPN based on the subnets presented, the PSK, or something else that uniquely identifes the sites.

 

 

Assuming you can't replace the Juniper could you perhaps put a Meraki MX behind the Juniper and run it in VPN concentrator mode?  Then you could use AutoVPN, and the Juniper would only need a route on it to get to the remote Meraki sites.

So much simpler and handles all the complex failover cases without any creatig any complexity.

 

 


@PhilipDAth wrote:

 

 

Assuming you can't replace the Juniper could you perhaps put a Meraki MX behind the Juniper and run it in VPN concentrator mode?  Then you could use AutoVPN, and the Juniper would only need a route on it to get to the remote Meraki sites.

So much simpler and handles all the complex failover cases without any creatig any complexity.

 

 


^^^^ This sort of approach works extremely well, in my experience.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels