MX VPN Concentrator VRRP bug in 15.43 & 15.44

shaunchivers
Conversationalist

MX VPN Concentrator VRRP bug in 15.43 & 15.44

I have pair of MX250's (single interface, warm spare configuration) as an SD-WAN hub site. We see the warm unit sending its management traffic (e.g traffic to dashboard) with the VRRP source MAC rather than its own burnt in MAC. I have had a TAC case open for a few weeks now which is with engineering again as an upgrade to 15.44 did not resolve.

 

I am interested to see if anyone else has experienced this VRRP bug? 

6 REPLIES 6
UCcert
Kind of a big deal

Re: MX VPN Concentrator VRRP bug in 15.43 & 15.44

We haven’t experienced this directly but a peer had this happen across a large sd-wan estate. From memory support made a vpn registry change?

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
RaphaelL
Building a reputation

Re: MX VPN Concentrator VRRP bug in 15.43 & 15.44

 Hi ,

 

I was curious about that behavior so I did a couple packet captures on both our MX450 and MX250 Warm Space ( LAN captures )

 

MX450 MX 15.40  : 

Uses the burned-in MAC for the VRRP MAC ( not following the standard in RFC 5798 )

 

MX250 MX 14.53

Uses a special MAC CC:03:D9 + End of the burned-in MAC of the device  ( not following the standard in RFC5798 )

 

I'm a little bit surprised to see that both MX450 and MX250 are not following the RFC AND they are not even using the same mecanic for the VRRP MAC selection.... 

ww
Kind of a big deal
Kind of a big deal

Re: MX VPN Concentrator VRRP bug in 15.43 & 15.44

@RaphaelL are the mx250 and 450 on the same firmware?

RaphaelL
Building a reputation

Re: MX VPN Concentrator VRRP bug in 15.43 & 15.44

Woops ! I just edited my post to include the firmware versions. I will have to test in my lab if bringing the MX250 to the MX450 version will change the behavior ( which is still not the one expected from the RFC ) 

 

I was expecting a MAC 00-00-5E-00-01-XX

suneq
Getting noticed

Re: MX VPN Concentrator VRRP bug in 15.43 & 15.44

Hi,

Yes, we've just downgraded all our MX 450 today from version 15.44 to 15.42. The support said that it impact only the management traffic but for us even the site-to-site tunnels were affected: it took hours to bring up a tunnel without any specific reason. As soon as we downgrade to version 15.42, all our site-to-site tunnels which were down went up.

Maybe some coincidence I dont' know 🙂

RaphaelL
Building a reputation

Re: MX VPN Concentrator VRRP bug in 15.43 & 15.44

 Where you able to confirm if the VRRP MAC between your MX450 and MX250 followed the same mechanic  ?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels