Meraki

Community

3rd party VPN and cellular failover

brad1028
Here to help
‎Nov 27 2019 7:20 AM
‎Nov 27 2019 7:20 AM

3rd party VPN and cellular failover

We have a mix of MX67C, and Z3C, and a primary VPN built to a Juniper SSG Firewall.  We are looking to enable the celluar failover.  Is the celluar IP reachable to maintain two VPN tunnels and failover the routing to celluar when the primary fails?

0 Kudos
6 Replies 6
NolanHerring
Kind of a big deal
‎Nov 27 2019 7:25 AM
‎Nov 27 2019 7:25 AM

The entire purpose of the cellular is for fail-over
It is my understanding though that the tunnel will only become active over the cellular once the primary goes down, by design to minimize bandwidth utilization on the cellular since those are usually pay-by-the-byte service.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
brad1028
Here to help
‎Nov 27 2019 10:18 AM
‎Nov 27 2019 10:18 AM

So to set up and test I will have to pull the primary WAN and set it up over the failover.  On the Meraki side the profile would not change, it is the peer (Juniper) that will have two profiles, one to the Meraki Primary WAN and one to the LTE IP address.

 

 

0 Kudos
In response to brad1028
NolanHerring
Kind of a big deal
‎Nov 27 2019 12:03 PM
‎Nov 27 2019 12:03 PM

Oh I think I mis-read the initial thread. I thought we were talking AutoVPN with Meraki devices (in which case its all automatic), and I sort of skimmed over the whole Juniper part lol.

I'll let one of the other guys on here with more know-how to respond lol >.<
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to brad1028
cwf
Getting noticed
‎Nov 27 2019 12:14 PM
‎Nov 27 2019 12:14 PM

If you are configuring the Juniper using an IP address you will need to obtain a static IP for your cellular device.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 28 2019 12:28 AM
‎Nov 28 2019 12:28 AM

This is likely to be nasty because the Juniper could see the VPN come in from different peer IP addresses.  My guess is you wont get this working.

 

You'll need to be able to configure the Juniper to terminate the VPN based on the subnets presented, the PSK, or something else that uniquely identifes the sites.

 

 

Assuming you can't replace the Juniper could you perhaps put a Meraki MX behind the Juniper and run it in VPN concentrator mode?  Then you could use AutoVPN, and the Juniper would only need a route on it to get to the remote Meraki sites.

So much simpler and handles all the complex failover cases without any creatig any complexity.

 

 

0 Kudos
In response to PhilipDAth
Uberseehandel
Kind of a big deal
‎Nov 28 2019 12:51 AM
‎Nov 28 2019 12:51 AM

@PhilipDAth wrote:

 

 

Assuming you can't replace the Juniper could you perhaps put a Meraki MX behind the Juniper and run it in VPN concentrator mode?  Then you could use AutoVPN, and the Juniper would only need a route on it to get to the remote Meraki sites.

So much simpler and handles all the complex failover cases without any creatig any complexity.

 

 

^^^^ This sort of approach works extremely well, in my experience.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.