Meraki Community

Cool!

Under the hood, is the built-in cellular interface basically becoming/being treated as WAN2 when the option is toggled on? Curious if this is going to interact with the cellular failover firewall rules at all.

I notice I can enable both WAN 2 and Cellular Active Uplink, but Cellular replaces WAN2 as an option in a couple of the SD-WAN drop-downs I looked at (like primary uplink).

For MXs with integrated cellular (MX67C, MX68CW) SD-WAN is supported over the LTE uplink with MX version 16.2 or later (in practise 16.16.1 - latest stable GA is currently recommended, but note the move to 443 for device <-> dashboard comms in 16.x - read the Release Notes).    A backend configuration needs to be applied by Meraki Support  (two, if you want to also be apply cellular failure firewall rules to the new WAN2)   When enabled, this allows the customer to effectively choose their LTE uplink as WAN2.   You can’t simultaneously have both 2 x fixed uplinks AND LTE.   See details here: https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

Note:   this will not work for LTE provided using a USB dongle.

Excellent, this is the detail I was looking for. Went digging around on the uplink configuration/SD-WAN configuration docs but they don't have much mention of this feature. Was apparently looking at the wrong docs.

Need a bit of clarification. Does this feature support active-active AutoVPN? The following blurb from the best practices document above is a bit unclear - unsure if it's talking about an add-on USB 3G/4G modem or the built-in cellular modem:

Is dual active AutoVPN available over a 3G or 4G modem?

No, 3G or 4G modem cannot be used for this purpose. While the MX supports a range of 3G and 4G modem options, cellular uplinks are currently used only to ensure availability in the event of WAN failure and cannot be used for load balancing in conjunction with an active wired WAN connection or VPN failover scenarios.  

Asking because I'm having some trouble testing this feature at a remote location, which is using a full-tunnel AutoVPN back to our concentrator(s). Seems like AutoVPN isn't detecting the cellular uplink, or isn't establishing across it.

From my previous comment:

"For MXs with integrated cellular (MX67C, MX68CW) SD-WAN is supported over the LTE uplink..."    and

"This will not work for LTE provided using a USB dongle..."   It's this (USB dongle = 3G or 4G modem) that is being referred to in the blurb you quoted.

Assuming you do have an MX with integrated cellular... (you plugged a SIM in, not a USB dongle/modem):

Did you have Support enable the feature?

Do you have Active-Active AutoVPN enabled under Security & SD-WAN > Configure > SD-WAN & traffic shaping?

Yup, there's a SIM plugged into the SIM slot on the MX67C.

Not sure what I need to ask support? You mentioned having them enable something in your post but not what. I enabled the Cellular Active Uplink option in the Security & SD-WAN > Configure > SD-WAN & Traffic Shaping options. Is there something else needed?

Active-Active AutoVPN is enabled under Security & SD-WAN > Configure > SD-WAN & Traffic Shaping

It used to be that the Cellular Active Uplink feature needed to be enabled by Support - that probably went away when 16 became Stable.   It sounds to me like your next call to Support is "It doesn't appear to be working?  Please help!"

Have you tried running a packet capture on the Internet side of the MX, to see what the cellular interface is sending & receiving to/from the Hub?    This would likely be Support's first ask - so worth doing in advance.   Take a look at the firewall logs at the Hub site too - see if any tunnel-related packets from the Spoke are being changed in transit by the carrier.   This because, with cellular uplinks, you often run into CG-NAT related issues, which often stops tunnels from forming properly.   You may need to set up the destination Hub (and any upstream firewall) to work with Manual NAT traversal, tying VPN to a specific public IP and port (I recommend picking one between 1025 and 32768, but avoiding 4500) as per https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NAT_Traversal

Excellent, I'll ping support and do some capturing, see what I can see. Wanted to make sure I wasn't missing something obvious!