Meraki

Community

MX84 with two internet links. One in failed state, but transmitting

Solved
Pablo_
Conversationalist
‎May 28 2020 9:26 AM
‎May 28 2020 9:26 AM

MX84 with two internet links. One in failed state, but transmitting

Hello, 

I have an MX84, two internet links (100Mbps each). WAN2 shows as Active, WAN1 as failed. 

Both are configured with static IP addresses, and worked when tested with the same addresses from a laptop connected directly to the ISP.

 

Pablo__1-1590682829427.png

What is strange, is that a traceroute from the MX will show the correct path when tested with each uplink. WAN1 (in failed state), will show the expected next hop and the ISPs internal hosts. Those will be different from WAN2.

Pablo__3-1590683058516.png

 

Hourly tested is configured in SD-WAN, and both links show packet loss near 0% (WAN1 shows 100% until it was plugged in, of course)

 

Pablo__0-1590682688727.png

 

The route table shows:

Pablo__4-1590683144372.png

 

The configuration is below. Clearly, traffic can flow on that interface, but status will not change to Active, and I suspect this means it will not send client traffic through it (it is configured to load balance).

 

I've restarted already. Any ideas?

 

Thank you,

Pablo

 

Pablo__2-1590682848004.png

 

0 Kudos
1 Accepted Solution
In response to cmr
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 29 2020 12:12 AM
‎May 29 2020 12:12 AM

The ping test to 8.8.8.8 is not used for detecting failure.  It is only used for monitoring.  These is the failover logic:

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo... 

 

Is the DNS configured on the failed WAN port correct and working?

View solution in original post

7 Replies 7
cmr
Kind of a big deal
Kind of a big deal
‎May 28 2020 9:34 AM
‎May 28 2020 9:34 AM

The failed state means that it cannot reach the primary monitored IP (8.8.8.8 in your case).  If you add another monitoring IP that you can reach over that link and make that primary it will show as active.

 

cmr_0-1590683789347.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to cmr
Pablo_
Conversationalist
‎May 28 2020 12:00 PM
‎May 28 2020 12:00 PM

Hello, and thank you for your message.

 

The traceroute shows the MX can reach 8.8.8.8 with either link, and in each case going through the ISP assigned to that link.

 

I've added 172.217.10.142 (one of google.com's addresses), and i get the same results: I can run a traceroute from the MX, each one goes a different route and through the ISP connected to each link, but WAN1 remains in failed state.

 

The historical data seems to show that 8.8.8.8 is reachable for both connections too:

 

Pablo__0-1590692432915.png

 

Thank you,


Pablo

 

0 Kudos
In response to cmr
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 29 2020 12:12 AM
‎May 29 2020 12:12 AM

The ping test to 8.8.8.8 is not used for detecting failure.  It is only used for monitoring.  These is the failover logic:

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo... 

 

Is the DNS configured on the failed WAN port correct and working?

In response to PhilipDAth
Pablo_
Conversationalist
‎May 29 2020 4:49 AM
‎May 29 2020 4:49 AM

You nailed it. I trusted the ISP DNS servers instead of going with Cloudflare.

 

Once I set 1.1.1.1, the DNS test succeeded and the link became active. The link you added was very useful in understanding the process.

 

Thank you!

 

Pablo

In response to Pablo_
Nash
Kind of a big deal
‎May 29 2020 6:49 AM
‎May 29 2020 6:49 AM

Ooh, glad you got it, but yeah. Never trust your ISP DNS unless you've absolutely got to for some reason.

 

Hint: Haven't met a reason yet.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
Nash
Kind of a big deal
‎May 28 2020 11:55 AM
‎May 28 2020 11:55 AM

If adding an additional IP for monitoring doesn't bring it up, you may also need to contact your ISP. Some ISPs will lock static IPs to mac addresses, and take forever to time it the arp table on their device.

Unfortunately, using a laptop to troubleshoot can make that timeout process last even longer. Still a very good troubleshooting step!

Windows 10 Client VPN scripts: Makes life better!
In response to Nash
Pablo_
Conversationalist
‎May 28 2020 12:34 PM
‎May 28 2020 12:34 PM

Thank you, guys. I'll let it run for a bit with the new target IP. So far it's testing fine on both, but remains in failed state.

Will try to force traffic through the one marked as failed with an SD-WAN policy too.

 

Best,

 

Pablo

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.