Wandering if anyone done this before
Would have two MX Appliances as Warm Standby in Router Mode.
ISP1 would be plugged into Active
ISP2 would be plugged into Standby
No switch on the WAN side so ISP straight into the MX WAN Port effectively making them CPE kit talking to the ISP.
Obviously would have to use the Use MX uplink IPs option as no VIP would be possible.
Would then have VPN Concentrator at Main Location.
Would then like to establish VPN from the Location with the MX Appliances to the Concentrator.
This would then establish from each ISP link separately? In terms of failover then would this keep the client to server connection open with this VPN Failover? or would that really be App dependent.
I don't quite understand your question, but I would consider taking a look at the best practices guide.
What looking for isn't in there.
Will try and explain again what looking for
MX1 - 1 ISP Connection Public_IP_Block_A eg 40.40.40.40/31
MX2 - 1 ISP Connection Public_IP_Block_B eg 50.50.50.50/31
The ISP Connections are separate WAN Connections so no external switch and VRRP etc on the WAN Side and the Connection terminated on each MX Appliance.
MX2 is a Warm Standby for MX1
Then use the SDWAN functionality to build VPN from the MX to a VPN Concentrator.
The VPN would initially be seen from 40.40.40.40 as that is ISP1
However if there was a failover to the Warm Standby then would be seen from 50.50.50.50 as would now be on the ISP2.
Solved: Dual redundant mx devices but with separate ISP on each WAN 1 port - The Meraki Community
Was a similar topology however was not doing any of the SD-WAN functionality or VPN. I know from other vendors that can do a straight firewall topology like this however the VPN doesn't work in that topology so don't want to presume that this would work with the VPN properly either in Meraki.
Auto-VPN is ISP independent (which is one of the biggest advantages of SD-WAN), so yes the tunnel will continue to work. Now if you have a non-Meraki VPN (S2S VPN with third parties) you will need to have a tunnel with each of the MXs.
I tested this with MX250 in 2018 and if I recall it did not work. It was on a very different code from 18.107.x currently being used. Meraki did not have Active/Active tunnels on ISP1 and ISP2 back then.
This was in a lab and shut down the uplink switch port that was ‘ISP-1’ on MX-A. SD-WAN traffic stopped. I had to failover MX in the dashboard, and then tunnels connected on MX-B. I don’t recall if the Internet kept working.
It isn't best practice but it would work for SD-WAN traffic and outbound traffic.
Port forwarding is problematic since you have a completely different IP subnet on your secondary so in a device failure scenario those won't work.
It would be better if you could stretch both ISP's to both datarooms and having a /29 subnet or a private NAT'ed subnet.
That will work fine.
>This would then establish from each ISP link separately?
No. In this configuration they would only connect to the primary MX unless it failed, and then they would connect to the standby MX.