Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

HPP
Comes here often

Does Meraki register to cloud as well as Auto VPN through LAN Port after NATTed with Public IP

Hi All, I have Meraki MX 84 device with firmware version 14.39. I want to deploy in a small remote network where two separate ISP terminated at the edge firewall. So, I would like to know if I use LAN port instead of WAN or Internet port to register with the cloud as well Auto VPN feature will work. If I hide behind the two different ISP public IP address at edge firewall. Secondly, we also want to test failover means one ISP connection down at the edge firewall still it connects to the cloud as well as Auto VPN with Second ISP public IP as we have NAT with two ISP public IP address.
16 REPLIES 16
MarcP
Kind of a big deal

Cloud connection, as well as the AutoVPN should work, even if one of the connections goes down.

 

The public IP does not matter for these connections.

 

Your NATted IP´s shouldn´t be available anymore if the affected Public IP wents down.

PhilipDAth
Kind of a big deal
Kind of a big deal

No.  The Meraki MX talks to the cloud via its WAN ports.

HPP
Comes here often

@PhilipDAth 

What is the reason behind to connect WAN Port necessary even private IP address allocated to the WAN port?

we have a kind of requirement that we require to connect meraki device WAN port to cascading switches and Layer 3 next hop is Edge firewall.  Have you tried to register and AutoVPN through LAN Port?

 

https://community.meraki.com/t5/forums/v4/forumtopicpage.kudosbuttonv2.kudoentity:kudoentity/kudosab...

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

What are you getting to get the MX to do? 

HPP
Comes here often

@PhilipDAth 

 

I want to register Meraki 84 with the cloud through LAN port. Also same LAN port will be using for AutoVPN.

So would like to know whether it is possible through LAN port instead of WAN port as we are doing NAT at Edge Firewall. 

Josper
Here to help

As @PhilipDAth told you, MX uses it's wan interface for cloud communication.

Even though you redirect all traffic, wan interface are going to be needed.

HPP
Comes here often

@ Josper, Ok, but we could not place two WAN ports in the same subnet on standalone Meraki device. we want to attach the WAN side ports to Cascading switches ( daisy chain).

HPP
Comes here often

Please find below diagram for more reference where I want to use LAN 1 and 2 physical port for LAN segment and LAN 3 and 4 Physical port for an outside segment. The Meraki deployment would be NAT mode as we could not use WAN 1 and WAN2 Port in the Same Subnet. So would like to know the LAN ports can be used for Auto VPN.

 

 

 Pune-SI-Meraki.jpg

GreenMan
Meraki Employee
Meraki Employee

Why can't you just use your two WAN ports on the MX, to link to the VLAN or VLANs which are Internet-facing, on the upstream switches?   Both of these WAN ports can be in the same subnet, if they really need to be - I have had this working on my MX, as shown below.Dual uplink, same subnet.png

HPP
Comes here often

@GreenMan  Thanks for the reply, as you see in the diagram shared earlier in the post the Meraki box is using WAN1 connection as it passes through Active firewall where two ISP terminated on each firewall. So we did NAT the private IP address of WAN 1 Meraki IP address with both ISP public IP address dynamically. Secondly, configure the ISP failover condition at the firewall level. But Problem is Meraki registered with a dashboard via primary ISP public IP address. Once failover to secondary ISP it could not register with Secondary ISP IP address as cloud dashboard still trying to trace Primary ISP  public IP address. Even, Dynamic DNS  disabled on the Meraki box as well.

 

Kindly let me know the reason why Meraki could not register with Secondary ISP Public IP address immediately when Primary ISP down at Perimeter level.

 

GreenMan
Meraki Employee
Meraki Employee

OK - it would probably have helped if you included some information on your diagram, as to how VLANs are being used on the switches, to interconnect different components and ports (I'm still not sure why you have MX LAN ports linking to the upstream switches), but I think I understand your latest question:   basically the upstream PA firewall is changing the public IP address which the MX would be using over WAN1, as part of its own failover mechanism. 

 

This should work ultimately, I imagine, provided you have appropriate rules in the upstream firewall to allow the comunications from the MX to Dashboard and other Meraki cloud resources, via each public IP, but it will take time - and might even require an MX reboot.   By default, even discovering that the upstream primary path isn't providing Internet connectivity will take five minutes:   https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

 

The MX then has to re-register with Dashboard, using the new public IP address.   How long did you leave it - and did you try rebooting the MX(s), as part of the diagnostics?

 

Basically - MX failover isn't designed to be based upon the MX having the public IP of a WAN port changed;  it's designed to make use of the fact that it has two ISP links, each with its own public IP (MX then checks in with Dashbord using both).

HPP
Comes here often

@GreenMan 

 

The upstream firewall allows connection on both ISP public IP address from WAN 1 Meraki connection. When the firewall failover to secondary ISP. Meraki could not able to register with secondary ISP public IP address even we allow time the Meraki box 10-15 minute to register.but it should be done quickly within 5 min as well as in AutoVPN case.

 

Also, we have not rebooted the box as a part of the troubleshooting step. Instead, we unplugged the cable of WAN 1 connection.

 

 

 

HPP
Comes here often

@GreenMan 

 

The upstream firewall allows connection on both ISP public IP address from WAN 1 Meraki connection. When the firewall failover to secondary ISP. Meraki could not able to register with secondary ISP public IP address even we allow time the Meraki box 10-15 minute to register.but it should be done quickly within 5 min as well as in AutoVPN case.

 

Also, we have not rebooted the box as a part of the troubleshooting step. Instead, we unplugged the cable of the WAN 1 connection.

 

 

 

GreenMan
Meraki Employee
Meraki Employee

Try rebooting the MX.  My guess is that what you're seeing would be expected behaviour.

Josper
Here to help

Sorry @HPP maybe I misunderstood you, but I don't see the need of the Lan interface for auto VPN in that topology.

Use the same vlan for communicating with isp routers (or define a new one just for meraki cloud control) on your Meraki wan interfaces and define your primary uplink preferences, sd wan policies, static routes.... 

 

Regards.

GIdenJoe
Kind of a big deal
Kind of a big deal

If the LAN subnets exist in front of the MX then a one-armed concentrator is probably what you are looking for.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels