I have a situation where my MX is the hub of a VPN mesh but it sits behind an ASA using dual ISP links for redundancy/backup using SLA monitor. The ASA's SLA feature will put the secondary link in the routing table if the primary fails, but both interfaces are up/up. I have seen where the MX device registers the backup IP/interface with the cloud, and starts forming VPN tunnels to remote sites with this IP, causing an async route and the VPN tunnel to fail.
I was thinking there might be a way to keep the ASA's interface in shutdown until it needs to fail over but I don't see a way to do that. I also don't see a way to for the MX device to stay on the primary ISP link until a failover occurs. Does anyone have any suggestions?
Is currently Active-Active AutoVPN enabled?
You can also use SD-WAN policies to send traffic to wan1
> I have seen where the MX device registers the backup IP/interface with the cloud, and starts forming VPN tunnels to remote sites with this IP
This can ONLY happen if the ASA has routed traffic out that backup circuit. You need to check the IP SLA statistics.
There are two likely scenarios:
Philip,
Looking at the SLA monitor stats it shows it's never failed over. I think the second scenario might be happening, but I'm not sure how to tell?
Only a few sites have tried to form VPN connections with that backup IP address - sometimes that VPN hub will display that it is nat'd to the back-up IP. I logged into the ASA and saw some Xlate for the backup IP to VPN Hub. Clearing those Xlates off the backup IP caused the MX100 to show the correct primary IP, and the VPN tunnel to form correctly to those sites.
So this MX100 is running in one-armed VPN concentrator mode - If I assign a manual NAT vs automatic that should force it to use the Primary ISP link's IP address for all traffic correct? If there's a fail over I can change it in the configuration without much hassle.