Auto VPN over MPLS and loss of Internet

SOLVED
benny
Getting noticed

Auto VPN over MPLS and loss of Internet

Hi All,

 

Quick question that came to mind over night.

 

In a hub and spoke environment where the spokes are only hanging off a MPLS link back to the data centre with no internet and rely on accessing Meraki cloud via the hubs (data centres) internet, what happens if the hub's internet was to fail and go down? 

 

Would the AutoVPN stay up considering the hub and spokes are still connected via the private MPLS addressing? 

 

Is there anytime out whereby the hub and or the spokes would eventually tear down the AutoVPN due to loss of communication to the cloud?

 

Thanks!

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

The existing VPNs would continue to work until the IPSec SA timers expire.  I believe that timer is 8 hours, so on a 50% average, you should expect things to keep working for 4 hours (some sites will drop off sooner, others will stay up longer).

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/IPsec_VPN_Lifetimes

 

New VPNs would not be able to be formed, because the VPN registry would not be contactable.

 

A good reason for 4G backup huh?

View solution in original post

3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal

The existing VPNs would continue to work until the IPSec SA timers expire.  I believe that timer is 8 hours, so on a 50% average, you should expect things to keep working for 4 hours (some sites will drop off sooner, others will stay up longer).

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/IPsec_VPN_Lifetimes

 

New VPNs would not be able to be formed, because the VPN registry would not be contactable.

 

A good reason for 4G backup huh?

Hi Philip,

 

Interesting idea, I might look into dual carrier diversity rather than 4G for the data centre. 

 

It sounds like Meraki are doing work around the MPLS situations and may have some nice features to accommodate. 

 

Thanks!

PhilipDAth
Kind of a big deal
Kind of a big deal

A common solution I use in a DC is a premium internet circuit and a cheap "domestic" circuit, with the plan to never use the domestic circuit except in an emergency.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels