Meraki

Community

Need to have IPsec tunnel failover from primary to secondary

AmitPanchal
Getting noticed
Wednesday
Wednesday

Need to have IPsec tunnel failover from primary to secondary

We have configured the secondary tunnel on the Non-Meraki IPSec VPN peer but when we configured the health monitoring in the Meraki VPN peer it is showing as down. Need to know how we can configure the VPN tunnel failover if any of the ISP on the other end goes down.

Labels:
0 Kudos
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

Hi, take a look at the documentation.

 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Primary_and_Secondary_IPsec_VPN_Tunnels

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
PhilipDAth
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

The above answer is my preferred solution.  This is my second preferred solution.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover

 

0 Kudos
AmitPanchal
Getting noticed
Wednesday
Wednesday

Thanks Alessandro for the document. But when we configure health check will run if the firewall is in passthrough mode. But we are using firewall in the routed mode. So will our health check work?

 

AmitPanchal_0-1758111168940.png

 

0 Kudos
In response to AmitPanchal
alemabrahao
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

The health checks for tunnel monitoring do work in Routed mode, not just in Passthrough mode.

The health check probe is sourced from the MX's WAN interface, even in Routed mode.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
gmartine
Getting noticed
Wednesday
Wednesday

@alemabrahaohealt checks in my opinion are broken. I have the same situation as @AmitPanchal and I can't make them work. I opened a case and Meraki TAC suggested to do health checks with 8.8.8.8 🙂  For my current use case I am connecting an MX cluster to AWS.  @alemabrahao are you sure the health checks are sourced from the WAN IP even for an HA system with virtual IPs?

0 Kudos
In response to alemabrahao
AmitPanchal
Getting noticed
Wednesday
Wednesday

Hi @alemabrahao can we do the http probe check for the private IP which is reachable from tunnel or will have to do http probe for the public IP only.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.