Auto-VPN Failover Times w/ VIP and Without

TimBecker
Conversationalist

Auto-VPN Failover Times w/ VIP and Without

Hello there fellow Meraki Colleagues,

 

I am in the middle of an SD-WAN Deployment for a client. They will be installing two MX250's in HA. Their only use will be site-to-site branch communication via Auto-VPN/SD-WAN.

 

We recently learned that the client only has two public IP Addresses available for the HA Pair. I know this will still technically work, but using a 3rd VIP is certainly preferred for smoother failover. 

 

Does anyone have any experience with the speed of failover when you're using a VIP vs Not? Meraki documentation basically just says "it's faster"... but no real numbers or descriptive insights. Has anyone compared with and without? In this situation we there will be around 6 remote sites communicating over the Auto-VPN. I assume without the VIP those VPN Tunnels will get torn down upon failure, and have to be rebuilt with the other MX.

 

Anyone have any experience with this? Is it a pretty dramatic difference? 

 

Appreciate your input! 

Thanks.

3 REPLIES 3
UCcert
Kind of a big deal

Comment for visibility.

 

Weve always used 3 public IPs so interested to see what others experiences are.

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
cmr
Kind of a big deal
Kind of a big deal

Only used 3 at edge sites, but we have our central site as a pair in single arm mode with other firewalls at the edge which only need one WAN IP for HA.

 

VIP mode is essentially transparent to the user's when it fails over, even with multiple video streams going.  Excellent for us as we are 24/7 (normally) so firmware upgrades have to be done in live time as there is no such thing as a maintenance window.

PhilipDAth
Kind of a big deal

I frequently don't use VIP.

 

It depends on the type of failure, but it does not normally exceed 30s, and 10s is not uncommon.

 

Most of my deployments have dual ISP connections (a "business" grade circuit, and a cheap domestic circuit as a backup - often sitting behind an ISP router).  It may be that it uses the backup circuit to notify the VPN registry of the primary being down - I don't know.

I rarely use VPN concentrator mode, even when only used for VPNs.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels