We are having a strange problem with our MX84 firewalls. We currently have a subnet for our WAN 188.8.131.52/28.
We have a number of NATs setup. When we are running on the one firewall everything works. When we failover to the other firewall all the addresses from 184.108.40.206 and up stop working. It acts like the subnet on the one firewall is set to 220.127.116.11/29. I have verified on the local page that it is set to 255.255.255.240 I even tried saving the IP address to a different IP address and it still does not work.
I am just wondering if anyone else has run in to this issue.
My next step is do a full reset of that firewall and let it rebuild.
My suspicion is that the upstream modem is still caching the ARP entry for the spare MX. A packet capture on the primary MX internet interface should show the destination mac address of the 18.104.22.168 traffic. If that's different from the primary MX mac address then you might try rebooting the modem.
If you're not using a virtual IP then you might try that to see if it reduces the chances of this happening. But it really depends on where the failure is coming from. You might want to give Meraki Support a call for assistance in troubleshooting the specifics of your scenario.
I'm going to take a punt the ISP is routing 22.214.171.124/29 via the IP address of the primary MX. They can fix this by routing it simply via the interface (as opposed to a specifying an IP address).
Or you could use virtual IP and have them route it via that.
I should have mentioned that this was working and then we swapped out the firewall via RMA. We have been using a virtual IP from the start.
So I now know what the issue is. When a failover occurs Meraki does not do a GARP for the 1:1 NAT addresses. Therefore the upstream device does not get updated. This is from the Meraki documents. Their solution is tell you to reboot the upstream device. So as far as I am concerned this is a major major flaw in the Meraki failover routine. It can take hours for the upstream device to refresh its ARP table meaning any services you are offering through those NATs will be down for hours. Defeats the whole purpose of having a failover.