MX100 as VPN Concentrator behind a HA Firewall fails after failover event.

Here to help

MX100 as VPN Concentrator behind a HA Firewall fails after failover event.

Hello All.


We are investigating an odd behaviour and i wanted to reach out to see if anyone is seeing similar issues.

We have an MX100 as a one arm concentrator for our topology, this MX100 is behind a High Availability Firewall that does 1-to-1-NAT for this MX100.

When we fail over from physical Firewall 1 to Firewall 2 the MX100 stop working and says, Bad internet, disabled Gateway.

if we then change the external address , the device works again, but if we fail back to Firewall 1 then the device stop working again.

we have a lot of services running behind this firewall and they all work. 

Any Ideas?

Kind of a big deal

On your HA pair, do you have a virtual IP setup? Is your MX pointing at that VIP or is it pointing directly to the IP of one of the fw?

Yes, there is a Virtual IP set up on the Firewalls. And the firewalls are in Sync and both keep track on sessions.


Kind of a big deal

Okay. When you say change the external address, is that the outside address on your 1:1 NAT?

Yes, exactly the outside address of the 1:1.
Kind of a big deal

This sounds like a failure of UDP NAT.  Are the HA firewalls syncing the UDP NAT table?

I'm suspecting something like this, some kind of error on the UDP tunnels, the extrange thing is that the Uplink Status is shown as Active. We have a Message for "Bad Internet" Gateway disabled.

But the tunnels do not reconnect unless a bigger change happen, like an IP Address change.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.