I have active site-to-site VPN with Azure from Primary MX. I have also created a VPN connection in Azure for the passive MX. Idea is that after failover, backup MX would create a VPN tunnel and provide redundancy with Azure. Can this work ? So long i have no luck when tested.
I think you design may not work. MX HA will share all the configurations between the primary and secondary, so any VPN set up on the MX HA will apply to both MXes. So you will have both VPN peers on both MX. For non-Meraki VPNs, I don't believe they will have tracking function to failover between two Non-Meraki VPN peers.
If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Your HA spare is essentially a paperweight that only does connection tests outbound and isn't even Switchable until it becomes active where all the config (save the uplink IP addressing) is copied across onto it.
You could use the Meraki MX equivalent of HSRP and have a floating IP between the Primary and Secondary MX, and point both your tunnels at that address shared between those two boxes. ((this is assuming that you have a single site with 2x MXs on it and they point towards a remote Azure Site.))
Problem is then you'll have to ensure that bot uplinks physically sit within the same subnet, AND there's enough IP addresses to make a shared IP address for the primary and secondary device. In essence both of your tunnels from Azure will terminate on the Primary (through the shared virtual uplink IP) and when primary drops then the secondary will get it instead.
Alternative 2 Create a separate network for your secondary device, purchase another license and run each MX separately. This will put a lot of heavy lifting on switching estate sitting behind the MXs (as they will have to path select which MX) and MX VLANs will also get a bit more of a headache.
Just wanted to give update on this. I had meraki support activate ikev2 on MX1 and MX2 which are configured as active and backup using uplink IPs. Azure side was configured with two vpn connections to MX1 and MX2.
It worked early on. I failed over successfully to backup MX , both vpn and internet traffic worked fine.
Now another strange thing is happening that both the tunnels are now connected in Azure and vpn traffic is not passing the tunnel 😕