Meraki

Community

Accessing a modem on a failed WAN port in a dual WAN scenario

Solved
JimTolson
Conversationalist
‎Sep 1 2021 6:47 AM
‎Sep 1 2021 6:47 AM

Accessing a modem on a failed WAN port in a dual WAN scenario

We have several MX firewalls setup with 2 4G WAN routers.
If like in the screenshot below, WAN 1 looses internet and the port goes into a failed state, the MX fails over to WAN 2 as it should, but fails to route traffic to 10.1.1.2 out WAN 1, it sends it out WAN 2. I feel the WAN 1 and WAN 2 subnets should be present in the routing table and still apply even if a WAN port goes into a failed state.
Does anyone have a workaround for the bellow situation, as we are using SD WAN we can still remote control PC's on site, and can get to the web interface of WAN 2's 10.1.2.1. but packet captures on WAN 1 and WAN 2 show attempts to connect to 10.1.1.2 are going out WAN port 2, which doesn't make sense.

JimTolson_0-1630503704287.png

 

0 Kudos
1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 1 2021 10:18 AM
‎Sep 1 2021 10:18 AM

This is one of the strange behaviours of the MX. I have never seen any documentation on this, but based on observations I would describe it in the following way (to compare it to classical IOS routers):

  • WAN1 has its own VRF with only a default route and it's own SLA-config to check internet-reachability
  • WAN2 has its own VRF, similar to WAN1.
  • All internal VLANs, static routes and also learned VPN-routes share a common VRF
  • Based on the reachability-checks and the flow-preferences there is some route-leakage and inter-VRF NAT to direct the traffic to WAN1 or WAN2

Something like this could be the reason that the directly connected networks are not always reachable.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

2 Replies 2
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 1 2021 10:18 AM
‎Sep 1 2021 10:18 AM

This is one of the strange behaviours of the MX. I have never seen any documentation on this, but based on observations I would describe it in the following way (to compare it to classical IOS routers):

  • WAN1 has its own VRF with only a default route and it's own SLA-config to check internet-reachability
  • WAN2 has its own VRF, similar to WAN1.
  • All internal VLANs, static routes and also learned VPN-routes share a common VRF
  • Based on the reachability-checks and the flow-preferences there is some route-leakage and inter-VRF NAT to direct the traffic to WAN1 or WAN2

Something like this could be the reason that the directly connected networks are not always reachable.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
JimTolson
Conversationalist
‎Sep 4 2021 2:46 AM
‎Sep 4 2021 2:46 AM

I'll accept this as the answer for now, at the very least it's nice to know someone else is seeing the same behaviour.
For anyone else that ends up on this thread, I also tried adding a flow preference, but at the end of the day its just a preference, it's overridden by the failover also, maybe a "forced" tick box would be nice on the flow preference rows. 

JimTolson_0-1630748649743.png

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.