Meraki MX-250 HA pair and Azure VPN Gateways IPSEC failover.

SOLVED
GP185
Here to help

Meraki MX-250 HA pair and Azure VPN Gateways IPSEC failover.

Hi Team,

 

Can you please help me to understand whether or not this topology would work?

The idea is configure 2x seperate IPSEC VPN tunnels on Azure VPN gateway (each would have a relevant destination VIP per ISP)  and have only one Tunnel configured on the MX-250 with destination IP being VPN gateway public IP.

What I don't understand in case of WAN1 (ISP1) failure - direct or indirect, would the tunnel automatically re-build with WAN2 source IP or not?

 

GP185_0-1653647442855.png

 

 

 

1 ACCEPTED SOLUTION

I have tried to organize the information.

 

A VPN to a Non-Meraki peer establishes a VPN tunnel at the Primary Uplink (e.g. WAN1).
When the Primary Uplink on the Meraki MX side goes down, the Secondary Uplink (e.g. WAN2) establishes a VPN tunnel.

 

The important point is...
The Meraki MX side is the starting point. Azure VPN Gateway listens for the establishment of VPN tunnels from Meraki MX.
This is because the decision of whether to tunnel VPN from WAN1 or WAN2 is on the Meraki MX side.
And a VPN tunnel to Non-Meraki Peer can only be established with one Uplink.
So, when the Primary Uplink (Control Connection) failover from WAN1 to WAN2, the VPN tunnel also failover.

Therefore, the Azure VPN Gateway is like preparing multiple receptacles for the Local Network Gateway.

View solution in original post

12 REPLIES 12
MyHomeNWLab
A model citizen

First, the tunnel to Azure VPN Gateway uses Non-Meraki Site-to-site VPN.
With that in mind, failover of Non-Meraki Site-to-site VPN will need to be implemented by script.

 

[related documents]

Configuring Site to Site VPN tunnels to Azure VPN Gateway - Cisco Meraki
https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site_to_Site_VPN_tunnels_to_Azure_V...

 

Tag-Based IPsec VPN Failover - Cisco Meraki
https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover

> Code
> The below code is for reference only. Meraki support does not assist with scripting.

Thanks a lot - I saw this example. I was trying to do something a little bit different though - configure just one single tunnel on Meraki MX with Destination IP being Azure VPN Gateway in Region 1. On the Azure VPN Gateway configure two seperate IPSEC tunnels with different destination IPs - one with destination IP of the Left MX WAN1 and the second one with Destination IP of Left MX WAN2. If WAN1 fails or ISP1 fails - MX will detect this using DPD and start initiating IPSEC tunnel over WAN2. Azure VPN gateway should accept the request as the second tunnel was pre-configured. Hope that makes sense.

Thanks for the additional information.
I think a network design without failover script is a good idea.

 

I did a quick verification and it seems to be Failover from WAN1 to WAN2.

This is really simple verified information since it is a single Spoke (Non Warm-Spare)

Thanks, how did you manage to verify this? 

Does it mean that IPSEC tunnel on the MX is not tied to a specific WAN interface - it will use whatever is available at the moment with WAN1 being the preferred? I could not find any configuration setting that would specify source interface for the IPSEC NON-Meraki tunnel. 

ww
Kind of a big deal
Kind of a big deal

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Pee...

 

"Non-Meraki VPN connections are established using the primary Internet uplink.  In the event the primary uplink fails, the VPN connection will use the secondary Internet uplink. Keep in mind that the 3rd party peer will need the appropriate configuration for the IP address of the secondary uplink if failover occurs. The primary uplink settings are found under Security & SD-WAN > Configure > SD-WAN & traffic shaping > Uplink selection > Global preferences > Primary uplink."

GP185
Here to help

Thank you! 

So does it mean IPSEC failover to secondary WAN2 will work with Azure VPN Gateway? Did anyone try this?

If we configure 2 x different IPSEC tunnels on Azure VPN gateway with different destination IPs (one per ISP), and only one IPSEC tunnel from MX to Azure VPN Gateway, when failover from WAN1 to WAN2 occurs would the tunnel be re-established over the secondary ISP? 

I have tried to organize the information.

 

A VPN to a Non-Meraki peer establishes a VPN tunnel at the Primary Uplink (e.g. WAN1).
When the Primary Uplink on the Meraki MX side goes down, the Secondary Uplink (e.g. WAN2) establishes a VPN tunnel.

 

The important point is...
The Meraki MX side is the starting point. Azure VPN Gateway listens for the establishment of VPN tunnels from Meraki MX.
This is because the decision of whether to tunnel VPN from WAN1 or WAN2 is on the Meraki MX side.
And a VPN tunnel to Non-Meraki Peer can only be established with one Uplink.
So, when the Primary Uplink (Control Connection) failover from WAN1 to WAN2, the VPN tunnel also failover.

Therefore, the Azure VPN Gateway is like preparing multiple receptacles for the Local Network Gateway.

Thanks mate! So I understand Meraki would re-establish IPSEC over WAN2 and as long as 2 tunnels are pre-configured on Azure VPN gateway - we should be fine

Just in case, I verified it again.
I will share information.

 

[MX Settings]
Non-Meraki VPN Peers: To Azure Gateway Address

 

01_MX_設定.jpg

 

 

[Addressing]
MX WAN1: 121.1.#.# (PPPoE IPCP)
MX WAN2: 202.225.#.# (PPPoE IPCP)

Azure VPN Gateway: 202.210.#.#

 

02_Meraki_正常時_筐体の状態.jpg

 

 

[Status: WAN1 Up & WAN2 Up]

This is a normal situation.

 

03_Meraki_正常時_トンネルの状態.jpg

 

04_Azure_VPN_Gateway_正常時.jpg

 

Azure VPN Gateway establishes a VPN tunnel only on the WAN1 side.

 

05_Local_GW_for_MX_WAN1.jpg

 

06_Local_GW_for_MX_WAN2.jpg

 

 

 

[Status: WAN1 Down & WAN2 Up]

This is a situation in the event of a WAN1 failure.

 

07_Meraki_異常時_筐体の状態.jpg

 

08_Meraki_異常時_トンネルの状態.jpg

 

09_Azure_VPN_Gateway_異常時.jpg

 

Azure VPN Gateway failover from WAN1 to WAN2.

Thanks so much, mate! It's amazing! I really appreciate your time for setting up the scenario and sharing the results! It's brilliant!

So, I realize this thread it way old, but this is the only example online I can find.

 

Trying to implement what was done above, and Azure complains about the overlapping subnet on the local network gateways and won't allow the 2nd connection to be added.

 

Was there some trick for adding this in Azure, or did they change it so that it is no longer possible?

Disregard.  Found a config error on the Azure side.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels