- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Non Meraki VPN Tunnel Failover Solution? - WAN1(Local Internet) & WAN2(MPLS)
I am attempting to setup internet redundancy at one of our sites but can't figure out a solution for an issue we are facing with non meraki VPN failover.
On the MX....
WAN 1 = Local Internet
WAN2 = Existing MPLS connection (Internet egress on east coast)
We use Zscaler so we have a non meraki VPN tunnel setup from the MX to Zscaler and tunnel all internet traffic to Zscaler. This works perfect for WAN1 and even a failover works perfect when WAN1 and WAN2 are both local Internet connections. However, the issue I am facing at this specific site stems from WAN2 being a MPLS connection and I can only get the tunnel to come up if I enter a local ID on the Meraki site to site VPN settings (see picture). I think this is because on the MPLS connection I have an upstream NAT device (Palo) which is translating the internal IP of the Meraki WAN2 port to a public address.
WAN1 is primary and everything works fine. However when we failover to WAN2 the non meraki VPN tunnel to zscaler never comes up because that tunnel will only come up if I have the Public NAT address added to the "Local ID" on the Meraki site to site VPN page.
Is there a solution or workaround to this? It doesn't appear there is a way to use a different non Meraki tunnel for WAN1 and WAN2. Am I missing a way to make the non meraki tunnel establish over my MPLS connection without entering a "Local ID" ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's the problem with entering the location ID? I'm just trying to understand.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When setting up Non-Meraki VPN connections between two MXs in different organizations, make sure to populate the Remote ID field of the Non-Meraki VPN peer with the private IP address of the remote MX if all of the following conditions are met:
The MXs are running firmware version MX 15 or higher.
They do not use a User FQDN.
They are connected behind an upstream NAT device.
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue with entering the location ID is that when the tunnel fails over to WAN1 the non meraki tunnel will not come up because WAN1 is local internet and is using a different public IP. Therefore it breaks all internet traffic when using WAN1 when the local ID is populated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, because it's behind a NAT, I don't see any other option.
Any chance of configuring MPLS directly on WAN2?
Please, if this post was useful, leave your kudos and mark it as solved.
