MX VPN hub behind 2 ISP links

RyanMcNetworks
Conversationalist

MX VPN hub behind 2 ISP links

I have a situation where my MX is the hub of a VPN mesh but it sits behind an ASA using dual ISP links for redundancy/backup using SLA monitor.  The ASA's SLA feature will put the secondary link in the routing table if the primary fails, but both interfaces are up/up.  I have seen where the MX device registers the backup IP/interface with the cloud, and starts forming VPN tunnels to remote sites with this IP, causing an async route and the VPN tunnel to fail.  

 

I was thinking there might be a way to keep the ASA's interface in shutdown until it needs to fail over but I don't see a way to do that.  I also don't see a way to for the MX device to stay on the primary ISP link until a failover occurs.  Does anyone have any suggestions?

4 REPLIES 4
ww
Kind of a big deal
Kind of a big deal

Is currently Active-Active AutoVPN enabled?

 

You can also use SD-WAN policies to send traffic to wan1

PhilipDAth
Kind of a big deal

> I have seen where the MX device registers the backup IP/interface with the cloud, and starts forming VPN tunnels to remote sites with this IP

 

This can ONLY happen if the ASA has routed traffic out that backup circuit.  You need to check the IP SLA statistics.

 

There are two likely scenarios:

  • It has in fact been falling over because of primary circuit failure
  • IP SLA is falsely triggering when there has been no failure
RyanMcNetworks
Conversationalist

Philip,

 

Looking at the SLA monitor stats it shows it's never failed over.  I think the second scenario might be happening, but I'm not sure how to tell?

 

Only a few sites have tried to form VPN connections with that backup IP address - sometimes that VPN hub will display that it is nat'd to the back-up IP.  I logged into the ASA and saw some Xlate for the backup IP to VPN Hub.  Clearing those Xlates off the backup IP caused the MX100 to show the correct primary IP, and the VPN tunnel to form correctly to those sites. 

RyanMcNetworks
Conversationalist

So this MX100 is running in one-armed VPN concentrator mode - If I assign a manual NAT vs automatic that should force it to use the Primary ISP link's IP address for all traffic correct? If there's a fail over I can change it in the configuration without much hassle.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels