Failover issues with WAN subnet

Gordon
Getting noticed

Failover issues with WAN subnet

We are having a strange problem with our MX84 firewalls.   We currently have a subnet for our WAN 66.97.20.64/28.

We have a number of NATs setup.   When we are running on the one firewall everything works.  When we failover to the other firewall all the addresses from 66.97.20.72 and up stop working.  It acts like the subnet on the one firewall is set to 66.97.20.64/29.  I have verified on the local page that it is set to 255.255.255.240   I even tried saving the IP address to a different IP address and it still does not work.

I am just wondering if anyone else has run in to this issue.

 

My next step is do a full reset of that firewall and let it rebuild.

 

6 REPLIES 6
rhbirkelund
Kind of a big deal

Have you verified the IP addressing from the ISP? That it is correct on their end?
LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Yes.  And it works on one firewall but not the other.

CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)

My suspicion is that the upstream modem is still caching the ARP entry for the spare MX. A packet capture on the primary MX internet interface should show the destination mac address of the 66.97.20.72 traffic. If that's different from the primary MX mac address then you might try rebooting the modem. 

 

If you're not using a virtual IP then you might try that to see if it reduces the chances of this happening. But it really depends on where the failure is coming from. You might want to give Meraki Support a call for assistance in troubleshooting the specifics of your scenario. 

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm going to take a punt the ISP is routing 66.97.20.72/29 via the IP address of the primary MX.  They can fix this by routing it simply via the interface (as opposed to a specifying an IP address).

Or you could use virtual IP and have them route it via that.

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#WAN_Vir... 

I should have mentioned that this was working and then we swapped out the firewall via RMA.   We have been using a virtual IP from the start.

 

Thanks

Gordon
Getting noticed

So I now know what the issue is.   When a failover occurs Meraki does not do a GARP for the 1:1 NAT addresses.  Therefore the upstream device does not get updated.  This is from the Meraki documents.  Their solution is tell you to reboot the upstream device.   So as far as I am concerned this is a major major flaw in the Meraki failover routine.   It can take hours for the upstream device to refresh its ARP table meaning any services you are offering through those NATs will be down for hours.  Defeats the whole purpose of having a failover.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels