Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Non Meraki VPN Tunnel Failover Solution? - WAN1(Local Internet) & WAN2(MPLS)

Bobble21
New here
‎Dec 4 2023 3:08 PM
‎Dec 4 2023 3:08 PM

Non Meraki VPN Tunnel Failover Solution? - WAN1(Local Internet) & WAN2(MPLS)

I am attempting to setup internet redundancy at one of our sites but can't figure out a solution for an issue we are facing with non meraki VPN failover.

 

On the MX....

WAN 1 = Local Internet

WAN2 = Existing MPLS connection (Internet egress on east coast)

 

We use Zscaler so we have a non meraki VPN tunnel setup from the MX to Zscaler and tunnel all internet traffic to Zscaler. This works perfect for WAN1 and even a failover works perfect when WAN1 and WAN2 are both local Internet connections. However, the issue I am facing at this specific site stems from WAN2 being a MPLS connection and I can only get the tunnel to come up if I enter a local ID on the Meraki site to site VPN settings (see picture). I think this is because on the MPLS connection I have an upstream NAT device (Palo) which is translating the internal IP of the Meraki WAN2 port to a public address.

 

WAN1 is primary and everything works fine. However when we failover to WAN2 the non meraki VPN tunnel to zscaler never comes up because that tunnel will only come up if I have the Public NAT address added to the "Local ID" on the Meraki site to site VPN page.

Is there a solution or workaround to this? It doesn't appear there is a way to use a different non Meraki tunnel for WAN1 and WAN2. Am I missing a way to make the non meraki tunnel establish over my MPLS connection without entering a "Local ID" ?

 

meraki-reddit.jpg

0 Kudos
Subscribe
4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 4 2023 3:40 PM
‎Dec 4 2023 3:40 PM

What's the problem with entering the location ID? I'm just trying to understand.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 4 2023 3:42 PM
‎Dec 4 2023 3:42 PM

When setting up Non-Meraki VPN connections between two MXs in different organizations, make sure to populate the Remote ID field of the Non-Meraki VPN peer with the private IP address of the remote MX if all of the following conditions are met:

 

The MXs are running firmware version MX 15 or higher.

They do not use a User FQDN.

They are connected behind an upstream NAT device.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Bobble21
New here
‎Dec 4 2023 4:18 PM
‎Dec 4 2023 4:18 PM

The issue with entering the location ID is that when the tunnel fails over to WAN1 the non meraki tunnel will not come up because WAN1 is local internet and is using a different public IP. Therefore it breaks all internet traffic when using WAN1 when the local ID is populated.

0 Kudos
Subscribe
In response to Bobble21
alemabrahao
Kind of a big deal
Kind of a big deal
‎Dec 4 2023 4:29 PM
‎Dec 4 2023 4:29 PM

Unfortunately, because it's behind a NAT, I don't see any other option.

 

Any chance of configuring MPLS directly on WAN2?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.