NAT Mode Warm Spare (NAT HA) - Meraki MX can't switch Master Role when it detects a broken link.

Solved
buiphe
Here to help

NAT Mode Warm Spare (NAT HA) - Meraki MX can't switch Master Role when it detects a broken link.

Sorry for my English not good !

 

WarmSpare.png

 

 

Model as shown - I do not use direct connection.

 

The hypothesis is that when deliberately break between MX Master and Core SW => The result is the appearance of "Dual Master" on two MX devices.

 

In the test, when the Master lost the WAN connection (Two ISPs are different between MX Primary and Spare), or fail-over (power-off), MX Spare became the "current master". In fact, sometimes 2 MX devices are still working normally, but the link from MX Master to Core SW is interrupted, Local Lan is still on the normal internet, at this time the traffic goes through MX Spare , but the VPN connection was unsuccessful, because the Site-2-Site VPN connection between MX Branch and HQ was still in Primary MX.


VRRP in the configuration of other network devices, support "tracking" feature on the interface, but I found meraki does not support this feature.

1 Accepted Solution
ccnewmeraki
Getting noticed

You should not have ISP1 going in to MX1 and ISP2 into MX2.

 

The HA pair functionality is not designed to work like this.

 

ISP1 should go into WAN1 on both devices.

ISP2 should go into WAN2 on both devices.

 

You can then configure WAN2 as either "load balanced" or "standby (failover)" in Security Appliance> Traffic Shaping in Dashboard.

 

This is stated in the HA pair documentation (perhaps not as clearly as it could be):

" If the primary appliance is using a secondary uplink, the secondary uplink should also be in place on the warm spare."
https://documentation.meraki.com/MX-Z/Other_Topics/Warm_Spare

The other thing you can do with both ISPs going into both appliances is configure a virtual IP on both WANs which will reduce the impact of a failover.

View solution in original post

10 Replies 10
AjitKumar
Head in the Cloud

Hi

Your screenshot is not visible.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
buiphe
Here to help

I just edited

AjitKumar
Head in the Cloud

Hi

I believe you should have a direct connection between MXes.

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
buiphe
Here to help

The problem is, I want to simulate a broken downstream connection - the port on the MX or SW is broken or the cable is bitten by a mouse.
AjitKumar
Head in the Cloud

Hi

I too have obseverved inconsistency in this topology for a client of mine. There after I have been using a direct connection. I never tried this topology again. 

 

 

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
ccnewmeraki
Getting noticed

You should not have ISP1 going in to MX1 and ISP2 into MX2.

 

The HA pair functionality is not designed to work like this.

 

ISP1 should go into WAN1 on both devices.

ISP2 should go into WAN2 on both devices.

 

You can then configure WAN2 as either "load balanced" or "standby (failover)" in Security Appliance> Traffic Shaping in Dashboard.

 

This is stated in the HA pair documentation (perhaps not as clearly as it could be):

" If the primary appliance is using a secondary uplink, the secondary uplink should also be in place on the warm spare."
https://documentation.meraki.com/MX-Z/Other_Topics/Warm_Spare

The other thing you can do with both ISPs going into both appliances is configure a virtual IP on both WANs which will reduce the impact of a failover.

buiphe
Here to help

Thanks for the answer 

 

I tried configuring the virtual IP on both WANs. And the test seems to have been as successful as expected. internet and VPN after 1-3 timeout has been active again.

 

As you say, if you use ISP1 for WAN1 of both MX, modem connected (mode using NAT router) from PPPoE dial-up router will link with 2 MX devices, a Layer-2 will be connected. I will configure a virtual IP as you said.

 

I don't know the topology of the same WAN for the two devices above is correct ?

 

But for the above architecture, the tunnel VPN configuration will be through a NAT device (PPPoE dial-up router), so do I need to configure NAT-T on the VPN tunnel?

 

MRCUR
Kind of a big deal

How many static IP's does your ISP provide you? In a NAT HA setup with a virtual IP, you actually need 3x public IP's - one for each MX plus the VIP. 

 

Are you able to put your upstream modem in bridge mode so the MX devices can handle NAT? That would be the preferred setup when using NAT HA mode on the MX devices. 

MRCUR | CMNO #12
buiphe
Here to help

Solution using your 3 static IP so pretty. I think it's good with bridge mode.

 

But I only have PPPoE dial-up, your bridge solution has a problem that I'm not sure, which is that 2 MX devices will be configured with the same PPPoE username and password (using two different devices with one at communication bridge mode?), I do not know if this is possible, and I do not know enough to understand whether this makes sense or not. Know that at one point only one MX device works.

MRCUR
Kind of a big deal

Ah, I didn't realize this was a PPPoE setup. I think you are right that in this case it would not work for the MX devices to be doing the PPPoE unless your ISP allows multiple connections under the same account (which is very unlikely). 

 

In MX NAT HA with a VIP configured, both of the MX devices are active with their WAN IP's but the VIP is only active on the primary MX. So you will likely need a router/modem in front of the MX devices. It may be possible to put the MX devices in a DMZ from the router's perspective however which would get you close to bridge mode but still have PPPoE working. 

MRCUR | CMNO #12
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels