Meraki

Community

HA pair behaviour during switch upgrade

Solved
cmr
Kind of a big deal
Kind of a big deal
‎Mar 4 2020 1:15 PM
‎Mar 4 2020 1:15 PM

HA pair behaviour during switch upgrade

One of our sites today that uses Cisco IOS switches in a stack is having the firmware upgraded.  The reboot process takes 10-15 minutes and during this the Meraki SD-WAN goes bonkers due to no LAN connections

 

cmr_0-1583334409097.png

I know this is a known issue but the only solution I can think of is to have a direct connection between the MXs, either on the LAN (the old preferred method) or WAN if NoNAT is enabled.  I'm not even sure that the latter would work, but the documentation does state that the WAN cannot be used for VRRP due to the NAT component... 

 

Does anyone have any experience of this?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
1 Accepted Solution
In response to cmr
DensyoV
Meraki Employee
Meraki Employee
‎Mar 4 2020 3:50 PM
‎Mar 4 2020 3:50 PM

 

 

Hi,

If you are only concern about the email alerts, then perhaps you can just temporarily disable it instead of turning off the VPN. The problem with turning off the VPN, if you are just using auto for the NAT traversal, its UDP port may change once you re-enable the VPN again and if there is a FW upstream, it may drop the packet if it sees a different UDP port or if it unable to clear the previous UDP flow.

 

hope this helps.

 

 

Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.

View solution in original post

0 Kudos
3 Replies 3
ww
Kind of a big deal
Kind of a big deal
‎Mar 4 2020 3:05 PM
‎Mar 4 2020 3:05 PM

i dont know.

But Is this a problem if  your  LAN is down  anyway?  Cant you  poweroff  1 mx? Or disable  autovpn?

In response to ww
cmr
Kind of a big deal
Kind of a big deal
‎Mar 4 2020 3:14 PM
‎Mar 4 2020 3:14 PM

It's more of an annoyance as yes, the LAN is down, than a real issue but I didn't appreciate the 150+ emails I got in the 10 minutes of downtime...  Disabling AutoVPN could be an option, I hadn't thought of that, but powering one MX off isn't as I'm a couple of hundred miles away!

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
DensyoV
Meraki Employee
Meraki Employee
‎Mar 4 2020 3:50 PM
‎Mar 4 2020 3:50 PM

 

 

Hi,

If you are only concern about the email alerts, then perhaps you can just temporarily disable it instead of turning off the VPN. The problem with turning off the VPN, if you are just using auto for the NAT traversal, its UDP port may change once you re-enable the VPN again and if there is a FW upstream, it may drop the packet if it sees a different UDP port or if it unable to clear the previous UDP flow.

 

hope this helps.

 

 

Please hit kudos if you found this post helpful and/or click "accept as solution" if this solved your problem.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.