Hi all,
Before I go completely bonkers, can I run a question by you all to see if I'm in fact trying something impossible.
We have an existing MX HA setup on site that's happily running and providing SD-WAN links to an expanding number of our offices but we are looking to move some third party IPSec VPN links over to our Meraki infrastructure as well. To help separate out the traffic from our SD-WAN (We don't need everyone to know about the links, they are for single local services), we're following this article - https://www.willette.works/merging-meraki-vpns/. It makes sense and I've most of the infrastructure up and running with the exception of the primary WAN link. I'm trying to use 3 additional IP's from our available public subnet but the IPSec MX's seem to not want to use them and keep falling back to WAN2. They are part of the same public subnet assigned to interfaces on the HA MX's and I'm half thinking this is the cause. I'm not seeing any errors but they just don't seem to want to use the primary WAN connection.
There's a mention in the article about needing a separate organisation for the VPN link to avoid any VPN subnet overlaps but the impression I got from this was avoiding overlaps between third party subnet and a subnet on the SD-WAN but it's not clear.
Can anyone confirm if this should be possible or am I going to have to look at a separate organisation?
Solved! Go to solution.
That shouldn't be an issue. The overlap would we an issue if you have identical subnets on the LAN side.
The fallback is triggered when an MX can't reach the cloud on its primary connection. The connection check process is described here:
Maybe going through that gives you an idea.
Are you using any 1:1 NAT on your HA pair?
That shouldn't be an issue. The overlap would we an issue if you have identical subnets on the LAN side.
The fallback is triggered when an MX can't reach the cloud on its primary connection. The connection check process is described here:
Maybe going through that gives you an idea.
Are you using any 1:1 NAT on your HA pair?
@Pugmiester we run exactly what you are wanting multiple MX on the same ISP subnet with different LANS.