Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Auto VPN Failover Interface Problem!!

network34
Comes here often
‎Jun 4 2023 3:11 PM
‎Jun 4 2023 3:11 PM

Auto VPN Failover Interface Problem!!

Hi everybody,

 

We have two sites one of is HUB and the other site is branch for customer PoC. Hub behind Checkpoint firewall, branch have two interface for WAN and twice are pppoe connection. So ISP. modems are working bridge mode.

 

Hub side MX behind the Checkpoint firewall and its work concentrator mode and we use manual port forwarding for Auto VPN. We have incoming nat rule at Checkpoint firewall for incoming traffic from internet to LAN IP address of HUB MX. (only udp port 19350 which we use this port at maneul port forwarding at hub mx vpn setting) Hub mx lan port (its has single port) use another real ip and natting at Checpoint firewall when it try to connect internet. 

At the branch site we have only one mx and two wan interface. WAN1 and WAN2 is working pppoe so we have two ISP modem and they are working at bridge mode. Real ip is concentrate at MX for two WAN interface. 

Normaly everything is working fine. But, when we unplug WAN1 interface of Branch MX and then plug it less than 5 minute (for example 10 second or 2 minutes) the vpn connection for this interface doesn't come up again. So WAN1 interface get real ip and internet traffic working fine for this interface. We wait 10 min, 20 min or 30 min bu VPN doesn't come up for this interface. If we restart branch mx or disable/enable branch mx WAN1 port Branch WAN1 VPN connection to HUB come up again. But, if we plug this interface after 5 minutes vpn communicating come up immediately, no problem.

If we change Branch MX WAN1 interface type to NAT mode. Test work fine, no problem. We have TAC case and they get some of packet capture but they couldn't solve this problem quickly. 

I want to ask you, when we get packet capture from branch site WAN1 interface try to communicate with HUB local ip address and HUB is trying to communicate with branch WAN1 public ip address with via its local ip address. is it normal? and do you have any idea about this problem? do you think pppoe may cause problem? We have internet and nat policy (communicate with internet) and from outside to inside nat rule and port forwarding for HUB device(we identify this ip address and port number at vpn setting manual port forwarding section) at HUB CP Firewall. But I sad before its different from other ip address when hub device try to communicate with internet. 

I try to identify our problem, could you pls help us. Because this is PoC issue and if we couldn't solve this problem we will lose this project:( I attached jpeg file which explain our topology with random IP adress.meraki_auto_vpn.jpg

 

0 Kudos
Subscribe
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 4 2023 4:24 PM
‎Jun 4 2023 4:24 PM

My suggestion is to perform a packet capture on the check point and review the firewall rules.

 

Any chance to configure the wan interface with public IP?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
network34
Comes here often
‎Jun 4 2023 4:27 PM
‎Jun 4 2023 4:27 PM

I think I found someone with the same problem. link is below. Problem is caused by pppoe.

 

https://arstechnica.com/civis/threads/meraki-mx-auto-vpn-with-pppoe-internet-service-and-session-id-...

 

0 Kudos
Subscribe
In response to network34
network34
Comes here often
‎Jun 7 2023 2:59 PM
‎Jun 7 2023 2:59 PM

yes I see this link after create this subject:(

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.