Multiple MX's in different networks but the same organisation on the same ISP subnet

Solved
Pugmiester
Building a reputation

Multiple MX's in different networks but the same organisation on the same ISP subnet

Hi all,

 

Before I go completely bonkers, can I run a question by you all to see if I'm in fact trying something impossible.

 

We have an existing MX HA setup on site that's happily running and providing SD-WAN links to an expanding number of our offices but we are looking to move some third party IPSec VPN links over to our Meraki infrastructure as well. To help separate out the traffic from our SD-WAN (We don't need everyone to know about the links, they are for single local services), we're following this article - https://www.willette.works/merging-meraki-vpns/. It makes sense and I've most of the infrastructure up and running with the exception of the primary WAN link. I'm trying to use 3 additional IP's from our available public subnet but the IPSec MX's seem to not want to use them and keep falling back to WAN2. They are part of the same public subnet assigned to interfaces on the HA MX's and I'm half thinking this is the cause. I'm not seeing any errors but they just don't seem to want to use the primary WAN connection.

There's a mention in the article about needing a separate organisation for the VPN link to avoid any VPN subnet overlaps but the impression I got from this was avoiding overlaps between third party subnet and a subnet on the SD-WAN but it's not clear.

Can anyone confirm if this should be possible or am I going to have to look at a separate organisation?

1 Accepted Solution
BrechtSchamp
Kind of a big deal

That shouldn't be an issue. The overlap would we an issue if you have identical subnets on the LAN side.

 

The fallback is triggered when an MX can't reach the cloud on its primary connection. The connection check process is described here:

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

 

Maybe going through that gives you an idea.

 

Are you using any 1:1 NAT on your HA pair?

View solution in original post

4 Replies 4
BrechtSchamp
Kind of a big deal

That shouldn't be an issue. The overlap would we an issue if you have identical subnets on the LAN side.

 

The fallback is triggered when an MX can't reach the cloud on its primary connection. The connection check process is described here:

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

 

Maybe going through that gives you an idea.

 

Are you using any 1:1 NAT on your HA pair?

Pugmiester
Building a reputation

Thanks for confirming. That's what I was hoping.

I'll run through the connection check docs to confirm what I can see.

We do have some 1:1 NAT on the HA pair for some locally hosted services but I've confirmed there are no overlapping addresses. The 2 IP's (will be a third for HA once I get basic comms working) are free of any other configuration and I don't think we have ever used them.
Pugmiester
Building a reputation

OK, That's really strange. The internet connection troubleshooting sent me down a particular path and I remembered that many years ago, the subnet we had from our ISP was split into two halves with one half being NAT'd on our old Checkpoint firewall, and the second half of the subnet routed through the Checkpoint. No idea how, I never saw the config.

However, switching to 3 IP addresses in the original lower half of the range has the MX's happy again. It's bizarre as there are services using the upper half without issues..

But anyway, we are up and running.
BlakeRichardson
Kind of a big deal
Kind of a big deal

@Pugmiester we run exactly what you are wanting multiple MX on the same ISP subnet with different LANS. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels