We are having a strange problem with our MX84 firewalls. We currently have a subnet for our WAN 184.108.40.206/28.
We have a number of NATs setup. When we are running on the one firewall everything works. When we failover to the other firewall all the addresses from 220.127.116.11 and up stop working. It acts like the subnet on the one firewall is set to 18.104.22.168/29. I have verified on the local page that it is set to 255.255.255.240 I even tried saving the IP address to a different IP address and it still does not work.
I am just wondering if anyone else has run in to this issue.
My next step is do a full reset of that firewall and let it rebuild.
My suspicion is that the upstream modem is still caching the ARP entry for the spare MX. A packet capture on the primary MX internet interface should show the destination mac address of the 22.214.171.124 traffic. If that's different from the primary MX mac address then you might try rebooting the modem.
If you're not using a virtual IP then you might try that to see if it reduces the chances of this happening. But it really depends on where the failure is coming from. You might want to give Meraki Support a call for assistance in troubleshooting the specifics of your scenario.
So I now know what the issue is. When a failover occurs Meraki does not do a GARP for the 1:1 NAT addresses. Therefore the upstream device does not get updated. This is from the Meraki documents. Their solution is tell you to reboot the upstream device. So as far as I am concerned this is a major major flaw in the Meraki failover routine. It can take hours for the upstream device to refresh its ARP table meaning any services you are offering through those NATs will be down for hours. Defeats the whole purpose of having a failover.