Cloud connection, as well as the AutoVPN should work, even if one of the connections goes down.
The public IP does not matter for these connections.
Your NATted IP´s shouldn´t be available anymore if the affected Public IP wents down.
No. The Meraki MX talks to the cloud via its WAN ports.
What is the reason behind to connect WAN Port necessary even private IP address allocated to the WAN port?
we have a kind of requirement that we require to connect meraki device WAN port to cascading switches and Layer 3 next hop is Edge firewall. Have you tried to register and AutoVPN through LAN Port?
What are you getting to get the MX to do?
I want to register Meraki 84 with the cloud through LAN port. Also same LAN port will be using for AutoVPN.
So would like to know whether it is possible through LAN port instead of WAN port as we are doing NAT at Edge Firewall.
As @PhilipDAth told you, MX uses it's wan interface for cloud communication.
Even though you redirect all traffic, wan interface are going to be needed.
@ Josper, Ok, but we could not place two WAN ports in the same subnet on standalone Meraki device. we want to attach the WAN side ports to Cascading switches ( daisy chain).
Please find below diagram for more reference where I want to use LAN 1 and 2 physical port for LAN segment and LAN 3 and 4 Physical port for an outside segment. The Meraki deployment would be NAT mode as we could not use WAN 1 and WAN2 Port in the Same Subnet. So would like to know the LAN ports can be used for Auto VPN.
Why can't you just use your two WAN ports on the MX, to link to the VLAN or VLANs which are Internet-facing, on the upstream switches? Both of these WAN ports can be in the same subnet, if they really need to be - I have had this working on my MX, as shown below.
@GreenMan Thanks for the reply, as you see in the diagram shared earlier in the post the Meraki box is using WAN1 connection as it passes through Active firewall where two ISP terminated on each firewall. So we did NAT the private IP address of WAN 1 Meraki IP address with both ISP public IP address dynamically. Secondly, configure the ISP failover condition at the firewall level. But Problem is Meraki registered with a dashboard via primary ISP public IP address. Once failover to secondary ISP it could not register with Secondary ISP IP address as cloud dashboard still trying to trace Primary ISP public IP address. Even, Dynamic DNS disabled on the Meraki box as well.
Kindly let me know the reason why Meraki could not register with Secondary ISP Public IP address immediately when Primary ISP down at Perimeter level.
OK - it would probably have helped if you included some information on your diagram, as to how VLANs are being used on the switches, to interconnect different components and ports (I'm still not sure why you have MX LAN ports linking to the upstream switches), but I think I understand your latest question: basically the upstream PA firewall is changing the public IP address which the MX would be using over WAN1, as part of its own failover mechanism.
This should work ultimately, I imagine, provided you have appropriate rules in the upstream firewall to allow the comunications from the MX to Dashboard and other Meraki cloud resources, via each public IP, but it will take time - and might even require an MX reboot. By default, even discovering that the upstream primary path isn't providing Internet connectivity will take five minutes: https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...
The MX then has to re-register with Dashboard, using the new public IP address. How long did you leave it - and did you try rebooting the MX(s), as part of the diagnostics?
Basically - MX failover isn't designed to be based upon the MX having the public IP of a WAN port changed; it's designed to make use of the fact that it has two ISP links, each with its own public IP (MX then checks in with Dashbord using both).
The upstream firewall allows connection on both ISP public IP address from WAN 1 Meraki connection. When the firewall failover to secondary ISP. Meraki could not able to register with secondary ISP public IP address even we allow time the Meraki box 10-15 minute to register.but it should be done quickly within 5 min as well as in AutoVPN case.
Also, we have not rebooted the box as a part of the troubleshooting step. Instead, we unplugged the cable of WAN 1 connection.
The upstream firewall allows connection on both ISP public IP address from WAN 1 Meraki connection. When the firewall failover to secondary ISP. Meraki could not able to register with secondary ISP public IP address even we allow time the Meraki box 10-15 minute to register.but it should be done quickly within 5 min as well as in AutoVPN case.
Also, we have not rebooted the box as a part of the troubleshooting step. Instead, we unplugged the cable of the WAN 1 connection.
Try rebooting the MX. My guess is that what you're seeing would be expected behaviour.
Sorry @HPP maybe I misunderstood you, but I don't see the need of the Lan interface for auto VPN in that topology.
Use the same vlan for communicating with isp routers (or define a new one just for meraki cloud control) on your Meraki wan interfaces and define your primary uplink preferences, sd wan policies, static routes....
Regards.