- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MX100 - Primary uplink misconfiguration?
I am troubleshooting issues with slow client VPN (300kb!) and site to site VPN (1-4 mbps) speeds.
WAN 1 is our Internet connection.
Port 2 on the firewall feeds a distribution switch.
In SDWAN & Traffic Shaping > Uplink Selection, the primary uplink is set to WAN2.
But Appliance Status > Uplink does not show that WAN2 was configured - though it does have a button "Convert port 2 to primary WAN". Also, the WAN is listed as "Ready", not Active.
There is no internal documentation, I have no idea why it was set up like this.
From what I have read, with this configuration all Internet traffic will be trying to exit from port 2 - which is not an internet connection, so it will then fail over to WAN 1?
Is this a misconfig, or am I missing something?
Would I be correct to change the Primary uplink to WAN 1 and disable Active-Active Auto VPN?
Will changing the Primary uplink to WAN 1 disrupt outgoing Internet traffic, or will users not even notice?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using L2TP or Anyconnect?
Are you using split tunnel?
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using L2TP and split tunnel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try disabling the split tunnel.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I will test that this afternoon.
Since we do not have a WAN 2 - should I also change the Primary uplink to WAN 1?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disabling the split tunnel did not help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For your environment yes I would change the Primary uplink setting to say WAN 1 as you're not using/don't have a WAN2 even configured. That might resolve the ready vs. active issue. I've never tried a config like you have so I'm not sure if it produces that UI anomaly. I see some (maybe all) spokes also are configured like this. So you probably want to fix them all.
The active/active AutoVPN piece shouldn't really matter as you don't have more than 1 WAN. You could set it to disable if you want, but it shouldn't be having any effect anyway.
From this MX (and downstream APs) the cloud speedtests are showing me 170+Mbps. So, it doesn't appear you have a general WAN link issue.
For the site to site speed issues. I see the MX mentioned is the hub and there are 24 peers. At which locations are you seeing speed issues? All, some?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Ryan!
Updating the Primary uplink changed the WAN 1 status to "Active".
I have also updated the Primary uplink on our remote firewalls.
For the site to site - I've tested 6 sites, the rest we received reports of slowness.
I stopped testing because downloading and uploading the same file yielded the same results on all 6 - hub>peer=2mb average, and peer>hub=1mb average.
I ran a test last night having PDQ push the same file to various machines over the site to site VPN.
Sending to 1 machine, it was a 2mb speed.
2 machines was about a 1mb speed.
4 machines was just under 500kb speed.
If I deploy the same file to 4 local machines, speed is 7-8mbps each.
Is it possible the site to site VPN is only allowing 2mb of bandwidth?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you have on this screen:
And lower down on the same page, what do you have here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Uplink Config
And the rest of it...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With regard to Windows and L2TP - there is a known Microsoft bug at the moment that significantly affects performance. It came out in an update around (maybe) early June. It has been noted by many that installing WireShark (and doing nothing else) resolves the issue.
I have seen a lot of customers instead migrate to AnyConnect, as this is not the first time Microsoft has damaged the client VPN with updates. AnyConnect also has additional functionality, like being able to authenticate against Office 365.
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the tip about MS being the cause! I will try the WireShark workaround as a temp fix.
I had started looking at AnyConnect earlier in the year, getting a quote for licenses now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you measure the performance using iPerf between two sites? It might be that you don't have a network issue, but an SMB tuning issue.
https://iperf.fr/iperf-download.php
Also, is the firmware running a stable (or better) release?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downloaded iPerf and will work on testing tonight,
Our hub is an MX100, and the spokes are MX64/ 67.
All are up to date, running FW 18.107.2.
