Meraki

Community

MX VPN hub behind 2 ISP links

RyanMcNetworks
Conversationalist
‎Jan 14 2022 7:53 AM
‎Jan 14 2022 7:53 AM

MX VPN hub behind 2 ISP links

I have a situation where my MX is the hub of a VPN mesh but it sits behind an ASA using dual ISP links for redundancy/backup using SLA monitor.  The ASA's SLA feature will put the secondary link in the routing table if the primary fails, but both interfaces are up/up.  I have seen where the MX device registers the backup IP/interface with the cloud, and starts forming VPN tunnels to remote sites with this IP, causing an async route and the VPN tunnel to fail.  

 

I was thinking there might be a way to keep the ASA's interface in shutdown until it needs to fail over but I don't see a way to do that.  I also don't see a way to for the MX device to stay on the primary ISP link until a failover occurs.  Does anyone have any suggestions?

0 Kudos
4 Replies 4
ww
Kind of a big deal
Kind of a big deal
‎Jan 14 2022 8:02 AM
‎Jan 14 2022 8:02 AM

Is currently Active-Active AutoVPN enabled?

 

You can also use SD-WAN policies to send traffic to wan1

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 14 2022 1:09 PM
‎Jan 14 2022 1:09 PM

> I have seen where the MX device registers the backup IP/interface with the cloud, and starts forming VPN tunnels to remote sites with this IP

 

This can ONLY happen if the ASA has routed traffic out that backup circuit.  You need to check the IP SLA statistics.

 

There are two likely scenarios:

  • It has in fact been falling over because of primary circuit failure
  • IP SLA is falsely triggering when there has been no failure
RyanMcNetworks
Conversationalist
‎Jan 14 2022 1:32 PM
‎Jan 14 2022 1:32 PM

Philip,

 

Looking at the SLA monitor stats it shows it's never failed over.  I think the second scenario might be happening, but I'm not sure how to tell?

 

Only a few sites have tried to form VPN connections with that backup IP address - sometimes that VPN hub will display that it is nat'd to the back-up IP.  I logged into the ASA and saw some Xlate for the backup IP to VPN Hub.  Clearing those Xlates off the backup IP caused the MX100 to show the correct primary IP, and the VPN tunnel to form correctly to those sites. 

0 Kudos
RyanMcNetworks
Conversationalist
‎Jan 17 2022 12:53 PM
‎Jan 17 2022 12:53 PM

So this MX100 is running in one-armed VPN concentrator mode - If I assign a manual NAT vs automatic that should force it to use the Primary ISP link's IP address for all traffic correct? If there's a fail over I can change it in the configuration without much hassle.  

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.