MX84 with two internet links. One in failed state, but transmitting

SOLVED
Pablo_
Conversationalist

MX84 with two internet links. One in failed state, but transmitting

Hello, 

I have an MX84, two internet links (100Mbps each). WAN2 shows as Active, WAN1 as failed. 

Both are configured with static IP addresses, and worked when tested with the same addresses from a laptop connected directly to the ISP.

 

Pablo__1-1590682829427.png

What is strange, is that a traceroute from the MX will show the correct path when tested with each uplink. WAN1 (in failed state), will show the expected next hop and the ISPs internal hosts. Those will be different from WAN2.

Pablo__3-1590683058516.png

 

Hourly tested is configured in SD-WAN, and both links show packet loss near 0% (WAN1 shows 100% until it was plugged in, of course)

 

Pablo__0-1590682688727.png

 

The route table shows:

Pablo__4-1590683144372.png

 

The configuration is below. Clearly, traffic can flow on that interface, but status will not change to Active, and I suspect this means it will not send client traffic through it (it is configured to load balance).

 

I've restarted already. Any ideas?

 

Thank you,

Pablo

 

Pablo__2-1590682848004.png

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

The ping test to 8.8.8.8 is not used for detecting failure.  It is only used for monitoring.  These is the failover logic:

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo... 

 

Is the DNS configured on the failed WAN port correct and working?

View solution in original post

7 REPLIES 7
cmr
Kind of a big deal
Kind of a big deal

The failed state means that it cannot reach the primary monitored IP (8.8.8.8 in your case).  If you add another monitoring IP that you can reach over that link and make that primary it will show as active.

 

cmr_0-1590683789347.png

 

Pablo_
Conversationalist

Hello, and thank you for your message.

 

The traceroute shows the MX can reach 8.8.8.8 with either link, and in each case going through the ISP assigned to that link.

 

I've added 172.217.10.142 (one of google.com's addresses), and i get the same results: I can run a traceroute from the MX, each one goes a different route and through the ISP connected to each link, but WAN1 remains in failed state.

 

The historical data seems to show that 8.8.8.8 is reachable for both connections too:

 

Pablo__0-1590692432915.png

 

Thank you,


Pablo

 

PhilipDAth
Kind of a big deal
Kind of a big deal

The ping test to 8.8.8.8 is not used for detecting failure.  It is only used for monitoring.  These is the failover logic:

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo... 

 

Is the DNS configured on the failed WAN port correct and working?

Pablo_
Conversationalist

You nailed it. I trusted the ISP DNS servers instead of going with Cloudflare.

 

Once I set 1.1.1.1, the DNS test succeeded and the link became active. The link you added was very useful in understanding the process.

 

Thank you!

 

Pablo

Nash
Kind of a big deal

Ooh, glad you got it, but yeah. Never trust your ISP DNS unless you've absolutely got to for some reason.

 

Hint: Haven't met a reason yet.

Nash
Kind of a big deal

If adding an additional IP for monitoring doesn't bring it up, you may also need to contact your ISP. Some ISPs will lock static IPs to mac addresses, and take forever to time it the arp table on their device.

Unfortunately, using a laptop to troubleshoot can make that timeout process last even longer. Still a very good troubleshooting step!

Pablo_
Conversationalist

Thank you, guys. I'll let it run for a bit with the new target IP. So far it's testing fine on both, but remains in failed state.

Will try to force traffic through the one marked as failed with an SD-WAN policy too.

 

Best,

 

Pablo

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels