Meraki

Community

MX v19 test Primary and Secondary IPsec VPN Tunnels

QuentinL
Just browsing
‎Jul 11 2025 2:50 AM
‎Jul 11 2025 2:50 AM

MX v19 test Primary and Secondary IPsec VPN Tunnels

Hello guys,

 

Have any of you try out the new release of MX v19 to have automatic failover between primary and secondary IPSec VPN Tunnels ?

Linked to this documentation : https://documentation.meraki.com/MX/Site-to-site_VPN/Primary_and_Secondary_IPsec_VPN_Tunnels

 

We are using IPSec peers for our proxy SaaS solution, all internet flow are going through the tunnel.
Today, we are playing with the tags to perform a manual failover, so we are waiting for this feature for a long time.

 

We've tried it on MX67 with MX 19.1.9 version, but we encountered some issues.

 

By default, we have our two IPSec peers and it's working well : 

QuentinL_0-1752225983763.png

 

When we want to perform a failover, to simulate, we create an ACL on switch side to block trafic to the primary peer.
After that, we can see that the primary peer goes down : 

QuentinL_1-1752227302309.png

 

But if we check with packet capture on IPSec VPN interface, we will se the packet going out the VPN, but we will not receive any return packet.

I think it's not an issue on our proxy saas solution because the manual failover it's working as expected.

 

Have you encounter the same issue?


Thanks

Labels:
0 Kudos
3 Replies 3
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 11 2025 2:58 AM
‎Jul 11 2025 2:58 AM

There are known issues with routing and failover in non-Meraki VPNs:

Re: New MX 19.1.9 stable release candidate: fixes MX75 becoming unresponsiv... - The Meraki Communit...

 

 

Known issues

  • During the upgrade process, MX appliances upgrading from version prior to MX 19 may experience a failure to properly classify traffic. This issue will be resolved once the appliance has completed the upgrade to MX 19. (MX-36307)
  • Due to an issue under investigation, MX appliances may incorrectly route traffic destined to subnets learned through eBGP over a Non-Meraki VPN connection. (MX-34803)
  • When failover is configured between non-Meraki VPN tunnels, the Route Table page on Dashboard may incorrectly show the route for the primary VPN tunnel is inactive. (MX-36316)
  • During the upgrade process, MX appliances upgrading from versions prior to MX 19 will experience a failure to connect to non-Meraki VPN peers if any VPN peer names contain a space. This issue will be resolved once the appliance has completed the upgrade to MX 19. (MX-36312)
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
QuentinL
Just browsing
‎Jul 11 2025 4:28 AM
‎Jul 11 2025 4:28 AM

Seems to be only a display error?
"When failover is configured between non-Meraki VPN tunnels, the Route Table page on Dashboard may incorrectly show the route for the primary VPN tunnel is inactive. (MX-36316)"

The device is already in v19.1.9

0 Kudos
In response to QuentinL
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 11 2025 4:33 AM
‎Jul 11 2025 4:33 AM

This is what the release notes indicate.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.