HA pair behaviour during switch upgrade

Solved
cmr
Kind of a big deal
Kind of a big deal

HA pair behaviour during switch upgrade

One of our sites today that uses Cisco IOS switches in a stack is having the firmware upgraded.  The reboot process takes 10-15 minutes and during this the Meraki SD-WAN goes bonkers due to no LAN connections

 

cmr_0-1583334409097.png

I know this is a known issue but the only solution I can think of is to have a direct connection between the MXs, either on the LAN (the old preferred method) or WAN if NoNAT is enabled.  I'm not even sure that the latter would work, but the documentation does state that the WAN cannot be used for VRRP due to the NAT component... 

 

Does anyone have any experience of this?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
1 Accepted Solution
DensyoV
Meraki Employee
Meraki Employee

 

 

Hi,

If you are only concern about the email alerts, then perhaps you can just temporarily disable it instead of turning off the VPN. The problem with turning off the VPN, if you are just using auto for the NAT traversal, its UDP port may change once you re-enable the VPN again and if there is a FW upstream, it may drop the packet if it sees a different UDP port or if it unable to clear the previous UDP flow.

 

hope this helps.

 

 

Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.

View solution in original post

3 Replies 3
ww
Kind of a big deal
Kind of a big deal

i dont know.

But Is this a problem if  your  LAN is down  anyway?  Cant you  poweroff  1 mx? Or disable  autovpn?

cmr
Kind of a big deal
Kind of a big deal

It's more of an annoyance as yes, the LAN is down, than a real issue but I didn't appreciate the 150+ emails I got in the 10 minutes of downtime...  Disabling AutoVPN could be an option, I hadn't thought of that, but powering one MX off isn't as I'm a couple of hundred miles away!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
DensyoV
Meraki Employee
Meraki Employee

 

 

Hi,

If you are only concern about the email alerts, then perhaps you can just temporarily disable it instead of turning off the VPN. The problem with turning off the VPN, if you are just using auto for the NAT traversal, its UDP port may change once you re-enable the VPN again and if there is a FW upstream, it may drop the packet if it sees a different UDP port or if it unable to clear the previous UDP flow.

 

hope this helps.

 

 

Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels