MX AutoVPN functionality during failure

Solved
cmonk
Comes here often

MX AutoVPN functionality during failure

Couple of questions that have been bothering me lately.

 

1. Two MXs via WAN1 establish an AutoVPN tunnel over an MPLS network using private IPs and is working for months.  That MPLS service loses its reachability to the internet; MXs cannot communicate with Internet but can still communicate with other MX.  Does the VPN tunnel between the two MXs still exist?  Will they continue to pass traffic over VPN without connection to dashboard as long as no changes occur within the MPLS?  Or are the tunnel torn down?

 

2. Additionally, add a direct Internet connection to both MXs in WAN2.  AutoVPN tunnels are established over both WAN ports and is working for months.  The MPLS service loses its reachability to the internet.  The MX marks WAN1 "failed" and fails all traffic over to WAN2.  Does that VPN still exist between the two MXs over WAN1 as they can still communicate via their private IPs, just cannot get to the internet using that WAN1 interface? Or are the tunnels torn down?

1 Accepted Solution
Ryan_Miles
Meraki Employee
Meraki Employee

This doc mentions the scenario you presented. https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

 

If internet is lost the private WAN interface would be marked as down. But AFAIK (as doc mentions) the tunnel should remain up for a few hours. Not sure if there's an exact timer.

 

In scenario #2 I believe it would be the same with the tunnel remaining up for a few hours on private WAN link.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

2 Replies 2
Ryan_Miles
Meraki Employee
Meraki Employee

This doc mentions the scenario you presented. https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

 

If internet is lost the private WAN interface would be marked as down. But AFAIK (as doc mentions) the tunnel should remain up for a few hours. Not sure if there's an exact timer.

 

In scenario #2 I believe it would be the same with the tunnel remaining up for a few hours on private WAN link.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
cmonk
Comes here often

Thank you for sharing this!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels