Meraki Community

Honestly, I saw very small bumps on Appliance Status -> Uplink charts, but dismissed them at first. It's basically unseen on the loss chart; The blips/disruptions are so incredibly brief that they get averaged-out/flattened.

It wasn't until I fired & logged continuous pings at devices at affected sites over the course of a morning that I saw the issues outlined above. Took a bit longer than I care to admit to correlate the blips with the DHCPv6 renewals!

Love the details btw. 

Was the latency / loss only affecting WAN trafic ? S2S trafic ? inter-vlan trafic or all of the above ?

Inter-VLAN unaffected.

S2S & WAN traffic affected.

We use a Full-Tunnel AutoVPN / Hub-Spoke deployment so we only really have inter-VLAN traffic/S2S traffic in the mix here.

Wonder if the latest fix in 18.107.6 could fix your issues : 

• Fixed an issue that resulted in the AnyConnect VPN and IPSec client VPN services restarting when an MX appliance had a change to IPv6 uplink information, even when these services were not using or providing any IPv6 functionality.

Awesome (well not really...but glad it's not just me!).

For any Meraki folks that haunt the forums, I opened case # 09227999 about this back in February this year when we first bumped into the issue. At the time, I was told that it was expected behavior that the WAN interface 'reset' when the DHCP renewal was processed. We didn't have much chance to properly troubleshoot due to the VOIP complaints this was generating, and ended up just rolling the whole environment back to MX16.X where IPv6 is not supported at all.

I've re-opened this case, will follow-up on this thread if we discover anything.

Well if they say that it is expected that we get a spike a loss/latency during that process atleast give us the choice to turn ipv6 off... 😫

I've got a candidate site upgrading to 18.107.6 tonight to test this. Will follow-up in the morning.

Radio silence on my ticket thus far 😞

EDIT: I got impatient and upgraded my candidate site this evening before leaving, and can confirm that this issue persists in MX18.107.6.

bummer...

So my home network runs with 18.205 and I wasn't able to repro the issue. 

Either I'm lucky or this issue is not present with 18.205. I'm downgrading right now to 18.107.5 to test it out and then 18.107.6.  To be continued ... !

Not solved : 

They can't be serious... I'm really starting to hate the MX product line. Always has been and will always stay the weakest part of Meraki.

Hello Raphael,

Now that I have the packet captures here for me to review, there are some things I noticed that make this line up as expected behavior. I am going to be best to explain this below however if you have any additional questions please let me know.

As I said, this brief period of latency is expected behavior. There are two points to cover here; one is why this occurs every two hours, and the second is why this causes latency.

The reason for why this occurs every two hours; this is due to the upstream ISP telling us to renew DHCP every two hours. Please look at the T1 and T2 timers below:


The T1 timer is in seconds, which equals 2 hours. These timers are a part of the RFC for IPv6, and are values selected by the upstream DHCP server (the modem) that tells the downstream client (the MX) to extend the lifetime of their address before it fully expires by reaching out with a DHCPv6 Renewal.

Why this leads to the increased latency during this time, the above DHCPv6 Renewal means the MX must briefly refresh its interface to set this. This is the same as any other IP address changes on the MX upstream and is why we would recommend any changes be made after hours to not cause any disruptions (if these changes were to be made manually). This is where the problem comes into play.

Now for what we can do about this, there are a couple of options:

1. Ask the ISP to disable IPv6 upstream.
2. Have the ISP provide a static IPv6 address for the MX. Configuring this will remove the need to perform DHCPv6 renewals.
3. Work with the ISP to increase the lifetime values specified above. Ideally we would want these to be scheduled on a timer that falls outside of production hours however this will have to be worked out with them.

If you have any further questions about what is happening here, please let me know.

>Why this leads to the increased latency during this time, the above DHCPv6 Renewal means the MX must briefly refresh its interface to set this.

This is bad behaviour.  A refresh with no change other than to extend the timers should not cause any service disruption or impact.

A follow-up question (which you can ask support) - does this behaviour happen when using IPv4 DHCP - and if not (which it probably doesn't), why is DHCPv6 being handled differently by the MX.

Good question, needs testing which I'll try to get done in the next day or so. I ran this up the pole with our Meraki representatives to get their take; I fully agree that a no-change renewal should absolutely not cause any form of disruption and am angling this as a bug vs. expected behavior.

This is exactly what I'm testing at the moment. I have lowered my dhcpv4 to 30mins. I don't expect this behavior on ipv4 which again makes no sense on ipv6..

Looks like you got a near-copy paste of the answer they gave me back in May! That doesn't bode well...

I hope you are doing well, I've got answers from our Product Specialist team about our troubleshooting session and some suggested steps going forward.

Firstly I'd like to go into why DHCPv6 is renewing every 15 minutes on this service. Looking at the DHCPv6 Packets I mentioned during the call seeing the values for 30 and 60 minutes on the DNS options, however, on top of this the address lease the ISP is providing has the following values.

T1: 900

T2: 1350

The T1 and T2 values are set by the DHCP server and determine when the client (in this case the MX) will attempt to renew the lease at those timers. The following excerpt is taken from the RFC for DHCPv6 found at https://www.rfc-editor.org/rfc/rfc8415.html :

"The server selects the T1 and T2 values to allow the client to extend the lifetimes of any addresses in the IA_NA before the lifetimes expire, even if the server is unavailable for some short period of time. Recommended values for T1 and T2 are 0.5 and 0.8 times the shortest preferred lifetime of the addresses in the IA that the server is willing to extend, respectively."

As the preferred lifetime is 30 minutes setting the T1 timer at 15 minutes does match the RFC. It becomes simply a case that the lifetimes for the lease that have been set on the DHCPv6 server (ISP) are far too short causing frequent renewals and disruptions.

Moving onto the loss and latency, what we're seeing here is going to be expected behavior on an MX. When the MX successfully renews its DHCP lease it has to refresh the interface configuration. This is expected behavior for an MX and the main reason that we recommend any interface-related changes are made outside of production hours.

-------- In summarization; the MX is renewing its DHCPv6 lease every 15 minutes due to the short lease lifetimes that have been set by the ISPs DHCPv6 server. When the MX is renewing the lease successfully it refreshes the interface as expected which causes temporary loss/latency.

How we can move this forward to reduce impact:

1. Disabling IPv6 would be the easiest option but if the ISP is unable to disable IPv6 this is not viable. Additionally, you are already aware Meraki does not have the option to disable IPv6 on WAN interfaces putting this option in a lock unless it can be readdressed with the ISP.

2. As we discussed the next option would be to have the ISP provide a static IPv6 address which can then be configured in Dashboard - this removes the DHCP lease timers completely

3. Have the ISP increase the lifetimes that the DHCPv6 server is setting - this would need to be negotiated with the ISP but ideally, you would aim to set them to occur outside of business hours.

Lowered dhcpv4 leases to 30mins. Captured 3 DHCP renew, no latency / loss observed. 

Why is this different from ipv4 and ipv6 ? Doesn't make any sense at all...

I haven't tried 18.205, but can give it a shot at my test site this evening and respond back.

I did run this up the totem pole with our Meraki product reps, who are escalating with the MX product team. I should hear from support in the next day or two about gathering some data to hopefully help address the problem at some point in the future (assuming it's not already fixed in 18.205).

This does appear to be resolved in 18.205!