Meraki

Community

MX failover with 3rd party site-to-site VPN

Mateen
Getting noticed
‎Feb 19 2020 11:30 AM
‎Feb 19 2020 11:30 AM

MX failover with 3rd party site-to-site VPN

Hi,

I have  active site-to-site VPN  with Azure from Primary MX. I have also created a VPN connection in Azure for the passive MX. Idea is that after failover, backup MX would create a VPN tunnel and provide redundancy with Azure. Can this work ? So long i have no luck when tested.          

0 Kudos
6 Replies 6
ChrisC83
Meraki Employee
Meraki Employee
‎Feb 19 2020 3:02 PM
‎Feb 19 2020 3:02 PM

Hi ,

 

I think you design may not work. MX HA will share all the configurations between the primary and secondary, so any VPN set up on the MX HA will apply to both MXes. So you will have both VPN peers on both MX. For non-Meraki VPNs, I don't believe they will have tracking function to failover between two Non-Meraki VPN peers.

 

 

Best Regards,

Chris

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to ChrisC83
Mateen
Getting noticed
‎Feb 19 2020 10:56 PM
‎Feb 19 2020 10:56 PM

I have 2 MXs and 2 WAN connections. Is there any other way to achive redundancy for VPN?
0 Kudos
In response to Mateen
WillN
Getting noticed
‎Feb 20 2020 10:37 PM
‎Feb 20 2020 10:37 PM

As Chris said,

Your HA spare is essentially a paperweight that only does connection tests outbound and isn't even Switchable until it becomes active where all the config (save the uplink IP addressing) is copied across onto it.

You could use the Meraki MX equivalent of HSRP and have a floating IP between the Primary and Secondary MX, and point both your tunnels at that address shared between those two boxes.
((this is assuming that you have a single site with 2x MXs on it and they point towards a remote Azure Site.))

WillN_0-1582266855334.png

Problem is then you'll have to ensure that bot uplinks physically sit within the same subnet, AND there's enough IP addresses to make a shared IP address for the primary and secondary device. In essence both of your tunnels from Azure will terminate on the Primary (through the shared virtual uplink IP) and when primary drops then the secondary will get it instead.

Alternative 2
Create a separate network for your secondary device, purchase another license and run each MX separately. This will put a lot of heavy lifting on switching estate sitting behind the MXs (as they will have to path select which MX) and MX VLANs will also get a bit more of a headache.

Sorry to be bearer of bad news. 




In response to WillN
Mateen
Getting noticed
‎Mar 10 2020 1:10 PM
‎Mar 10 2020 1:10 PM

Hi,

Just wanted to give update on this. I had meraki support activate ikev2 on MX1 and MX2 which are configured as active and backup using uplink IPs. Azure side was configured with two vpn connections to MX1 and MX2.

It worked early on. I failed over successfully to backup MX , both vpn and internet traffic worked fine.

 

Now another strange thing is happening that both the tunnels are now connected in Azure and vpn traffic is not passing the tunnel 😕

 

0 Kudos
In response to Mateen
ChrisC83
Meraki Employee
Meraki Employee
‎Mar 12 2020 2:51 PM
‎Mar 12 2020 2:51 PM

Hi,

 

Just want to check how you control the Azure side to pass the traffic back to MX1 or MX2 when both tunnels are connected. The MXes are in HA mode so only one MX is actually passing the traffic.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
In response to ChrisC83
Mateen
Getting noticed
‎Mar 13 2020 11:05 PM
‎Mar 13 2020 11:05 PM

It seems like spare MX is also responding to Azure requests and creating a tunnel which it should not, and this is messing with route table. only one tunnel should be connected for this to work.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.