Meraki

Community

Fail over Mechanism between 2 MX and 2 Palo Alto

Solved
Senan_Rogers
Getting noticed
‎Jun 12 2020 6:12 AM
‎Jun 12 2020 6:12 AM

Fail over Mechanism between 2 MX and 2 Palo Alto

Hello Guys,

 

I want to get your opinion on a case I have it below and want to know the best scenario/Practice for the design.

 

Problem description:-

What is the Best Mechanism to trigger the failover between Palo alto and Meraki MX. What i meant, when Palo alto 1` is down, how the MX1 will know that Palo alto 1 is down and he needs to communicate with palo alto alto #2.

 

Any Suggestion?

 

Senan_Rogers_1-1591967283433.png

 

0 Kudos
1 Accepted Solution
In response to cmr
Senan_Rogers
Getting noticed
‎Jun 15 2020 5:22 PM
‎Jun 15 2020 5:22 PM

Hello Guys,

 

Thank you for all your reply.  

 

I have found a way on how to simplify the failover  Scenario below is a draft design for your reference.

 

Senan_Rogers_1-1592266040737.png

 

Again thank you.

View solution in original post

0 Kudos
9 Replies 9
ww
Kind of a big deal
Kind of a big deal
‎Jun 12 2020 6:50 AM
‎Jun 12 2020 6:50 AM

I assume  pa2  takes over the Ip of pa1.(vrrp)

jdsilva
Kind of a big deal
‎Jun 12 2020 8:40 AM
‎Jun 12 2020 8:40 AM

What is the goal of this design? My initial answer is simply that you shouldn't do this as it doesn't add any value while greatly increases complexity, but let's hear the use case and go from there.

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 12 2020 1:58 PM
‎Jun 12 2020 1:58 PM

I'm with @jdsilva .  It looks like a terrible idea to me.  I can't imagine what the benefit of such a huge amount of complexity will be.

You can be pretty confident that engineering in so much complexity will result in an increased number of outages.

Senan_Rogers
Getting noticed
‎Jun 13 2020 10:56 AM
‎Jun 13 2020 10:56 AM

The Palo Alto  Firewall is a must and they have features that are not available with Meraki MX,  So we have to keep them and they are Managed by different organizations ( 3rd party), and the Meraki is managed by another Organization, So we have to keep them in parallel. 

 

I totally understand the design  is  complex  and I am in a situation I have to simplify the solution and keep both of them  MX/Palo Alto 

 

Please see below the Overall  Design. 

Senan_Rogers_1-1592070873039.png

 

 

 

So what I am asking is how to simplify the Failover Mechanism between two Different Vendors with the Above Design. 

 

Any Idea you can share it with me?

0 Kudos
In response to Senan_Rogers
cmr
Kind of a big deal
Kind of a big deal
‎Jun 13 2020 1:08 PM
‎Jun 13 2020 1:08 PM

I don't see the issue, if you have two HA pairs that can't be in series, then what you have is what you need.  We've had a similar setup for years and never had any issues, it just works.

 

For those that need to know, we have HA pairs from two different vendors and run VPNs from both, traditionally one with the site to site and the other with the primary client VPN.  We did briefly have three HA pairs in parallel, but that was just too much 🤣

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 14 2020 12:40 PM
‎Jun 14 2020 12:40 PM

What traffic do you want to go to what firewall cluster, and which is the primary firewall cluster (Palo Alto or Meraki)?

0 Kudos
In response to PhilipDAth
Senan_Rogers
Getting noticed
‎Jun 14 2020 2:40 PM
‎Jun 14 2020 2:40 PM

Hello Philip,

In the diagram, it shows the VOICE VLAN 200 will go to the MX only, and the AZURE VLAN will go to Palo Alto.

We will have one MX Primary and One PALO ALTO Primary.

0 Kudos
In response to Senan_Rogers
cmr
Kind of a big deal
Kind of a big deal
‎Jun 15 2020 1:07 PM
‎Jun 15 2020 1:07 PM

I think the diagram is very confusing with the voice VLAN appearing to go to what I assume are the MXs and then not really anywhere.

 

You have Azure on a LAN interface on the Palo Altos and a WAN interface for unknown traffic.  As @PhilipDAth said, what are you trying to achieve,  why do you want the MXs, is it just for the voice traffic, and if so goes much voice traffic do you have that requires dedicated MX hardware?  We use Cisco ISRs for SIP trunk termination as they have hardware resources for transcoding etc.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Senan_Rogers
Getting noticed
‎Jun 15 2020 5:22 PM
‎Jun 15 2020 5:22 PM

Hello Guys,

 

Thank you for all your reply.  

 

I have found a way on how to simplify the failover  Scenario below is a draft design for your reference.

 

Senan_Rogers_1-1592266040737.png

 

Again thank you.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.