MX in WarmSpare doesnt trigger failover when only LAN link is down

Solved
MirzaDz
Getting noticed

MX in WarmSpare doesnt trigger failover when only LAN link is down

Hello,

 

We have 2 MXs in Warm Spare. Each MX has connection to ISP-1, and both MXs can talk on LAN. When i unplug LAN cable on primary MX, secondary stop recieving VRRP message and promote himslef as active/master. He continue to processing LAN traffic but it doesn process WAN traffic. Primary MX still have WAN connection so i have in dashboard 2 masters and problem with connection coming from outside.  Does anyone know why MX failover full so secondary take response for Lan and Wan traffic? Can you give some advices?

 

Best regards,

1 Accepted Solution
Ryan_Miles
Meraki Employee
Meraki Employee

The path to MX1 is through MX2

 

Screenshot 2024-11-10 at 08.07.08.png

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

16 Replies 16
RWelch
A model citizen

MX Warm Spare - High-Availability Pair has a troubleshooting section towards the bottom that might assist you.  Not sure if you have already read this or are following the suggested implementation practices.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
MirzaDz
Getting noticed

Hello,

 

Yes ,i know troubleshooting and i know that spare doesnt recieve vrrp message. I know regarding design but what i want to say if lan connection on primary mx fail, or switch or switches where primary connected, we dont have full failover. In the docuemntation it says when stop recieving heartbeats it will become active. It still becomes active, but also active one stays active because it has wan online. If i need to explain more please let me know 

Ryan_Miles
Meraki Employee
Meraki Employee

VRRP only occurs on the LAN side of the MX. Do you have redundant links between the MXs and the Switch(es)? If you only have a single LAN link from each MX you'd want to add another to provide some redundancy.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
MirzaDz
Getting noticed

Hello,

 

Yes i have redundant links, but  unplugg both lan links, and the situatiom is like i described above. Both mx is master because both have access to cloud, only one mx lose its lan cables. I am courios if there is mechanisam if lan communication is down,that mx goes in standby instead staying in master state

Ryan_Miles
Meraki Employee
Meraki Employee

The only option at that point is to connect the MXs to each other directly so there's a remaining path for VRRP.

 

Example

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
MirzaDz
Getting noticed

Hello,

Need a little clarification regarding this please . If i provide directly path for VRRP on LAN 3 on both MXs (LAN 1 and LAN2 connected to the stack), when LAN 1 and LAN 2 is disconnected VRRP message will flow through LAN 3 and how failover in this case will be triggered?

Ryan_Miles
Meraki Employee
Meraki Employee

VRRP is sent on all links and all VLANs. So yes, in that example of losing LAN 1 & 2 LAN 3 would still carry VRRP packets between the MXs and keep MX1 as primary and MX2 as spare.

 

Traffic flow of clients downstream would be from the switch up to MX2 then over to MX1 as that would still be the primary unit in the HA pair.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
MirzaDz
Getting noticed

Hello,

 

Thank you for your answer. So if i understand good, secondary MX2 will start to answer on LAN virtual MAC address even it is in spare state? 

Ryan_Miles
Meraki Employee
Meraki Employee

If the MXs are directly connected to each other MX1 would remain primary and therefore retain answering to the virtual MAC.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
MirzaDz
Getting noticed

Hello,

 

Ok, but MX1 lose LAN connections to the stack. So traffic from client pointing on LAN virtual MAC address doesnt have path to the MX1 if i understand good.

Ryan_Miles
Meraki Employee
Meraki Employee

The path to MX1 is through MX2

 

Screenshot 2024-11-10 at 08.07.08.png

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
GreenMan
Meraki Employee
Meraki Employee

How do you have the setup cabled?

MirzaDz
Getting noticed

Hello,

 

Both MXs redunandt cable to one of the stack member.

GreenMan
Meraki Employee
Meraki Employee

Why remove two cables in a failover test?   I don't know of anyone who designs for two simultaneous and separate failures.   I wouldn't worry about the active : active status of both MXs if the (usual) primary is entirely disconnected from the LAN - it can't confuse the clients, in that scenario.   But you said the (usual) spare MX is not carrying user traffic, even though it's now active and communicating over the WAN...?

MirzaDz
Getting noticed

Hello,

I agree with designs for 2 simultaneouse failures. But in theory it is possible. Anyway maybe some people have just 1 switch for lan communication maybe in that case have more sense and want to avoid STP so they connect just one link.. Anyway when this scenario happend in the portal both HA member becomes muster.Spare member starty to reply on his LAN interface, but spoke communication going through AutoVPN stopped working when this happend (active lose LAN connections).

Edu_Chico
Here to help

Do you have any diagram of that network connection?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels