Email alerts for VPN Connectivity Changed - need to know which WAN port

Solved
Brian_Scheele
Here to help

Email alerts for VPN Connectivity Changed - need to know which WAN port

Many of our offices use Comcast copper for primary Internet connectivity and use their Connection Pro, which is a cellular backup modem.  WAN1 from the MX plugs into the coper modem, WAN2 into the cellular backup.  We do not have connectivity between the two modems, otherwise we would have no visibility to failover events.

 

One of our sites barely has a strong enough 4G signal - about 10 Mbps with low jitter, but connectivity apparently drops several times per day, long enough to cause the site-to-site VPN connection to go down.

 

It would be nice if Meraki could at least include the public IP addresses involved in the connection, or the WAN port, or both, so that Outlook inbox rules can be created to ignore some of these alerts.  I only care if the connection goes down if it happens while I am in a failover.

 

I could for this one particular network just not use WAN2 and have the copper modem connected to the cellular modem like Comcast suggests.  The only way we would know of a failover event is if someone at the remote office complains about bandwidth or maybe there is another alert about a site-to-site route change.

 

Or, if someone has a better idea, I would be open to some suggestions.  I doubt there is some magic setting that just keeps the tunnel open when a connection is down for several minutes.  DNS has to happen across the tunnel, so even if I could turn off the VPN for WAN2, it would not be too helpful.

 

2024-01-19 09_48_51-Clipboard.png

1 Accepted Solution
Brian_Scheele
Here to help

I ended up taking WAN2 offline on the MX84 at the site.  The alerts were coming from both sides of the site to site VPN connection - office and both datacenters.  Turning off alerts at the office to instead use 3rd party software would not solve receiving alerts from the datacenters, unless we also went third-party with those, too.

 

The ideal solution would be for Meraki to provide some granularity in the details provided in the reports.

 

Instead, the path from inside to the Internet is:
MX84 Port 1 > Comcast Modem < > Cradlepoint Modem (cellular)

 

Thanks everyone for the suggestions!  Zabbix will probably be something we end up using, but we can decide later if it also makes sense as a solution that includes WAN2 plugged into the Cradlepoint.

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

Why don't you monitor the WAN ports instead of the VPN connection?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Oh, I know that the dashboard doesn't send WAN2 alerts but you can monitor it with a third-party tool like Zabbix.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brian_Scheele
Here to help

I would have to turn off my alerts to use something 3rd party to alert for WAN1 and VPN connectivity.  That probably would not be the best idea - we have over 300 sites monitored and only a handful that make use of WAN2 for cellular backup. If we did disable the alerts from the Meraki side, we would want our SEIM to provide the alerts in its place, provided the SEIM can differentiate between WAN1 and WAN2, and have some way for the datacenter side to know it was just a backup connection going down.

 

Seems the best fix would be if Meraki just added more detail in the email alerts.

 

alemabrahao
Kind of a big deal
Kind of a big deal

It would actually be the solution to make less work for you.
 
Jokes aside, today we monitor more than 700 sites via Zabbix (we even have integration with Power BI to generate reports) and it serves us very well.
 
Keep an open mind about the subject.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brian_Scheele
Here to help

On one side of the VPN connection, we have our datacenters.  That needs to be monitored and alerted.

alemabrahao
Kind of a big deal
Kind of a big deal

Ok, but what prevents monitoring the data center side via Zabbix?
 
If you can get a basic topology it might be easier to understand and suggest something.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brian_Scheele
Here to help

I'll have to give a serious look into Zabbix.  Not sure I can sell it as the solution, but I can see this being useful for some other things, and as a replacement for something we currently pay for that monitors servers and the non-Meraki hardware we have in place.  Quick fix is probably just going to be to move the patch cable connecting WAN2 to cellular to be cellular to copper modem.

alemabrahao
Kind of a big deal
Kind of a big deal

When you have free time, take a look at this.

 

https://apps.meraki.io/en-US/apps/412728/zabbix#overview

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
mlefebvre
Building a reputation

Insight will give you alerts for WAN2, you could purchase one license just for this trouble site. Or, run a Python API script somewhere to generate a custom alert for this site for you.

Brian_Scheele
Here to help

I ended up taking WAN2 offline on the MX84 at the site.  The alerts were coming from both sides of the site to site VPN connection - office and both datacenters.  Turning off alerts at the office to instead use 3rd party software would not solve receiving alerts from the datacenters, unless we also went third-party with those, too.

 

The ideal solution would be for Meraki to provide some granularity in the details provided in the reports.

 

Instead, the path from inside to the Internet is:
MX84 Port 1 > Comcast Modem < > Cradlepoint Modem (cellular)

 

Thanks everyone for the suggestions!  Zabbix will probably be something we end up using, but we can decide later if it also makes sense as a solution that includes WAN2 plugged into the Cradlepoint.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels