Meraki

Community

MX100 - Primary uplink misconfiguration?

YellowKLR
Here to help
‎Jul 19 2023 8:37 AM
‎Jul 19 2023 8:37 AM

MX100 - Primary uplink misconfiguration?

I am troubleshooting issues with slow client VPN (300kb!) and site to site VPN (1-4 mbps) speeds. 

WAN 1 is our Internet connection. 
Port 2 on the firewall feeds a distribution switch. 

 

In SDWAN & Traffic Shaping > Uplink Selection, the primary uplink is set to WAN2. 

But Appliance Status > Uplink does not show that WAN2 was configured - though it does have a button "Convert port 2 to primary WAN". Also, the WAN is listed as "Ready", not Active. 

 

There is no internal documentation, I have no idea why it was set up like this. 

From what I have read, with this configuration all Internet traffic will be trying to exit from port 2 - which is not an internet connection, so it will then fail over to WAN 1?

 

Is this a misconfig, or am I missing something?

Would I be correct to change the Primary uplink to WAN 1 and disable Active-Active Auto VPN?

Will changing the Primary uplink to WAN 1 disrupt outgoing Internet traffic, or will users not even notice?

 

MerPriUplink.jpgMerWAN1.jpg

 

 

0 Kudos
14 Replies 14
alemabrahao
Kind of a big deal
‎Jul 19 2023 8:44 AM
‎Jul 19 2023 8:44 AM

Are you using L2TP or Anyconnect?

 

Are you using split tunnel?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
YellowKLR
Here to help
‎Jul 19 2023 8:47 AM
‎Jul 19 2023 8:47 AM

We are using L2TP and split tunnel. 

0 Kudos
In response to YellowKLR
alemabrahao
Kind of a big deal
‎Jul 19 2023 9:00 AM
‎Jul 19 2023 9:00 AM

Try disabling the split tunnel.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
YellowKLR
Here to help
‎Jul 19 2023 9:07 AM
‎Jul 19 2023 9:07 AM

Thank you, I will test that this afternoon. 

 

Since we do not have a WAN 2 - should I also change the Primary uplink to WAN 1?

0 Kudos
In response to YellowKLR
alemabrahao
Kind of a big deal
‎Jul 19 2023 9:28 AM
‎Jul 19 2023 9:28 AM

Yep

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
YellowKLR
Here to help
‎Jul 19 2023 10:34 AM
‎Jul 19 2023 10:34 AM

Disabling the split tunnel did not help. 

0 Kudos
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jul 19 2023 9:15 AM
‎Jul 19 2023 9:15 AM

For your environment yes I would change the Primary uplink setting to say WAN 1 as you're not using/don't have a WAN2 even configured. That might resolve the ready vs. active issue. I've never tried a config like you have so I'm not sure if it produces that UI anomaly. I see some (maybe all) spokes also are configured like this. So you probably want to fix them all.

 

The active/active AutoVPN piece shouldn't really matter as you don't have more than 1 WAN. You could set it to disable if you want, but it shouldn't be having any effect anyway.

 

From this MX (and downstream APs) the cloud speedtests are showing me 170+Mbps. So, it doesn't appear you have a general WAN link issue.

 

For the site to site speed issues. I see the MX mentioned is the hub and there are 24 peers. At which locations are you seeing speed issues? All, some?

In response to Ryan_Miles
YellowKLR
Here to help
‎Jul 19 2023 10:16 AM
‎Jul 19 2023 10:16 AM

Thank you Ryan!

Updating the Primary uplink changed the WAN 1 status to "Active". 
I have also updated the Primary uplink on our remote firewalls. 

For the site to site - I've tested 6 sites, the rest we received reports of slowness. 
I stopped testing because downloading and uploading the same file yielded the same results on all 6 - hub>peer=2mb average, and peer>hub=1mb average.

I ran a test last night having PDQ push the same file to various machines over the site to site VPN. 

Sending to 1 machine, it was a 2mb speed.

2 machines was about a 1mb speed. 

4 machines was just under 500kb speed. 

If I deploy the same file to 4 local machines, speed is 7-8mbps each. 

 

Is it possible the site to site VPN is only allowing 2mb of bandwidth?

0 Kudos
In response to YellowKLR
cmr
Kind of a big deal
Kind of a big deal
‎Jul 19 2023 1:15 PM
‎Jul 19 2023 1:15 PM

What do you have on this screen:

cmr_0-1689797678533.png

And lower down on the same page, what do you have here?

cmr_1-1689797737084.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
YellowKLR
Here to help
‎Jul 21 2023 9:32 AM
‎Jul 21 2023 9:32 AM

Uplink Config

YellowKLR_1-1689956944824.png

And the rest of it...

YellowKLR_2-1689957067651.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 19 2023 1:35 PM
‎Jul 19 2023 1:35 PM

With regard to Windows and L2TP - there is a known Microsoft bug at the moment that significantly affects performance.  It came out in an update around (maybe) early June.  It has been noted by many that installing WireShark (and doing nothing else) resolves the issue.

I have seen a lot of customers instead migrate to AnyConnect, as this is not the first time Microsoft has damaged the client VPN with updates.  AnyConnect also has additional functionality, like being able to authenticate against Office 365.

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

In response to PhilipDAth
YellowKLR
Here to help
‎Jul 21 2023 10:44 AM
‎Jul 21 2023 10:44 AM

Thank you for the tip about MS being the cause! I will try the WireShark workaround as a temp fix. 

I had started looking at AnyConnect earlier in the year, getting a quote for licenses now.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 19 2023 1:37 PM
‎Jul 19 2023 1:37 PM

Can you measure the performance using iPerf between two sites?  It might be that you don't have a network issue, but an SMB tuning issue.

https://iperf.fr/iperf-download.php 

 

Also, is the firmware running a stable (or better) release?

In response to PhilipDAth
YellowKLR
Here to help
‎Jul 21 2023 11:20 AM
‎Jul 21 2023 11:20 AM

I downloaded iPerf and will work on testing tonight, 

Our hub is an MX100, and the spokes are MX64/ 67. 
All are up to date, running FW 18.107.2.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.