Meraki

mawitt1990 · ‎Apr 15 2021

Hello all,

I had a question regarding the default routing behavior of a MX. I have an environment where I would like to advertise the same subnet from two different VPN hubs. Hub 1 will act as the primary route to the network (10.150.0.0/16). Hub 2 will provide a backup route in an event where A) the 10.150.0.0/16 resource becomes unavailable or B) Hub 1 goes offline. Both Hubs advertise a local static route for the 10.150.0.0/16 into AutoVPN with route tracking enabled.

In setting this up in an lab environment, I notice that with route tracking enabled Hub 1 continues to advertise the static route into AutoVPN. The two spokes continue to send their traffic destined to 10.150.0.0/16 to Hub 1 as a result. Hub 1 receives the packet, decrements the TTL on the IP packet, and then forwards it onto to Hub 2. My question for you all is this a routing behavior that we should expect to see in this type of scenario?

Bruce · ‎Apr 15 2021

The answer is yes. The fact that the route to 10.150.0.0/16 still remains as advertised even when the host being tracked goes offline is known - in fact some people are using it to their advantage to force traffic into the VPN when they are otherwise doing split tunneling.

I believe the consensus is that if a tracked host goes offline then the route should be withdrawn from the AutoVPN, but at the moment it doesn't work like that, it works as you've described. I'm sure it probably has complexities as to how the security associations are formed and the subnets advertised during that process that make it difficult to do any other way, but be assured what you are seeing is 'expected'. At least you know how it works 😀

EDIT: If Hub1 goes completely offline then the traffic should be going direct to Hub2 as there is no longer any VPN path to Hub1, so Hub2 is the only option.

Meraki

Community

MX AutoVPN Routing Decision with Route Tracking

MX AutoVPN Routing Decision with Route Tracking