Hi,

Thanks for your reply.

Same customer already have dual vMX is another Azure Region. No problems there. We've tried proposing that solution but problem is they only have two onprem sites in the region so they don't consider it due cost reasons.

At the end of the day, I guess I can do nothing to manipulate azure prefixes to ensure AutoVPN tunnels as preferred. No way to summarize or prepending at VPN GW, no way to publish more specific routes from vMX as they are learnt dynamically from the RS. 

I will open a ticket to ask Meraki what they mean with BGP routes anyway because from my understanding bgp originated prefixes in Azure hub should be considered as AutoVPN routes at the spoke side. Hence spoke MX should IMO choose AutoVPN path and not IPSec tunnel.

As customer wants us to change SDWAN corporate FW from default allow to default deny I'm afraid a rule like source "Az Region prefixes" to "onprem sites in Region prefixes" would be a must.

Regards,

Hi, TAC has answered me. They don't see the issue as a bug but an expected result. Surprisingly, they state the bgp-learnt prefixes at the hub from the AZ RS are considered BGP routes at the spoke sites even when they learn them over AutoVPN tunnels. Great! It makes no sense, they are AutoVPN learnt routes at spoke sites, it is supposed they are not running BGP. I'm aware they do behind the scenes, once you enable BGP in one hub, an ibgp session is eestablished with all other hubs and its spokes. 

They also said we have two ways to solve the issue. One is forgetting dynamic routing at Azure side and configure local routes. No way, I could split every azure /24 real prefix into 2x /25s. Fine. The problem is these prefixes are not removed from the network even when the vMX is stopped or fails. Another great! 

The other option is a recent deployment in 19.X. Now you can run bgp inside Non-Meraki IPSec tunnels. Fine, AZ VPN GW also supports it. Good advance from Meraki. I will test it. However, according to the meraki document, only AS-path prepend on egress and weight attribute are sopported. Why not Lpref???? The former does not solve the on-prem MX route decision process issue, it works for the other traffic direction. Weight... maybe. Meraki does not say what value is the default between 0-49. They only say the higher the value, the higher the preference. In case default value is not 0, I could try setting 0 por IPSec tunnels (from the dashboard I can't configure any weight por autovpn prefixes (local or bgp originated). This way it could work... or not.

Assuming they consider bgp-originated AutoVPN routes as bgp routes, I hope they would consider bgp-originated IPSec  routes ass BGP and not IPSec to maintain its rare route decision algorithm consistency. This way it could compare weights from both paths. Or maybe, provided even weight does not work and it is the same for both paths, MX decides to chose autovpn instead of ipsec for Az same mask prefixes. In AZ it is not possible to manipulate prefix at egress nor in RS nor AZ VPN GW and as-path would be the same for both paths as RS and VPN GW must be running ibgp themselves. 

In case all this does not work, in order to ensure an automatic BU for AutoVPN tunnel with an IPSec tunnel I guess it could only be done by Meraki behind the scenes.

If not, I'm afraid two vMX or manual backup with someone accesing the dashboard in case vMX fails.

I can understand mine could be corner case. However, route decision is not properly designed. And local prefixes permanently present in the network regardless of its state is even worse. 

Regards.