Packet loss on the remote site (full-tunnel) when the main site is in HA (VPNconcentrator mode)

Solved
Thierno
Here to help

Packet loss on the remote site (full-tunnel) when the main site is in HA (VPNconcentrator mode)

Hello everyone,
I encounter a malfunction that I can't solve, if someone could help me.

Indeed, I implement a Meraki SD-WAN solution whose architecture is as follows:
Main site: 2* MX250 in HA which are in VPN Concentrator mode
Remote sites: in routed mode (Full-tunnel)

The problem:
On the remote sites, I have important packet losses (about 30%) when I make a request (ping) to 8.8.8.8 for example or on an IP located on the Main site.
When I stop one of the two MX250 so I cut the HA of the main site or I put the remote site in split-tunnel, I have no more packet loss on the remote sites.

Actions taken:
I changed version to 15.43 and tried even the last ones in beta (16.9 and 16.10) but nothing to do.

 

Thanks for your help

 

1 Accepted Solution
Thierno
Here to help

Hello,

 

So good news, after opening a ticket, I was suggested to put the 15.42.1 version (I was told that it is a known problem on the versions I was using).

 

Since then, no more packet loss on remote sites.

 

Thanks @PhilipDAth and @ww

View solution in original post

13 Replies 13
ww
Kind of a big deal
Kind of a big deal

What is the device utilization on the mx250 when you have packet loss.

 

https://documentation.meraki.com/MX/Monitoring_and_Reporting/Device_Utilization#MX_Device_Utilizatio...

 

Are you using a VIP on the mx250? Can you try without vip?

Thierno
Here to help

Thanks in advance,

Yes I use a VIP.
When you are in Passthrough or VPN Concentrator mode, the deployment mode of the warm spare is only done in VIP unlike the routed mode where you have the two choices "use virtual uplink IPs" or "Use MX uplink IPs".Devices utilization.png

 

PhilipDAth
Kind of a big deal
Kind of a big deal

At the main site, can the device in front of the MX250s doing the NAT ping the VIP address without issue?

PhilipDAth
Kind of a big deal
Kind of a big deal

Also, whatever is providing the layer 3 gateway to the MX250's, can it ping the VIP address without issue?

Thierno
Here to help

Thanks in advance  PhilipDAth


Yes, no problem there too.
I tried two types of architecture (the MX are directly connected to a firewall (Fortinet).
The loss is really felt when at the remote site.

PhilipDAth
Kind of a big deal
Kind of a big deal

Does the Fortinet firewall show any traffic being blocked?

Thierno
Here to help

Hello,

 

So good news, after opening a ticket, I was suggested to put the 15.42.1 version (I was told that it is a known problem on the versions I was using).

 

Since then, no more packet loss on remote sites.

 

Thanks @PhilipDAth and @ww

whistleblower
Building a reputation

Hi all,

 

same on my side with 15.43 - I´ll give it a try and will upgrade to 15.43.1!

 

thanks @Thierno for the information! 🙂

Thierno
Here to help

Hello,

I was using 15.43 when I encountered the problem.
It is by downgrading to 15.42.1 that I was able to solve the problem.
But now, on the Meraki dashboard, I can't find this version anymore.
If I understood correctly, as 15.42.1 was the last stable version and today they are on version 15.44. I think you can use this one

whistleblower
Building a reputation

first I´ve upgraded to Version 15.43.1 -> no change, issue still existing, now I changed to the stable one which is 15.44 -> no change as well, the problem unfortunately still exists 😞

I´ll open a case and check with the support-team...

cmr
Kind of a big deal
Kind of a big deal

@whistleblower do you not have the same selection as I have below (perhaps excluding IPv6 v17) where 15.42.3 is an option? 

 

cmr_0-1632480173879.png

 

If my answer solves your problem please click Accept as Solution so others can benefit from it.
whistleblower
Building a reputation

@cmr  this options are available for my organization...

whistleblower_0-1632810006077.png

whistleblower_1-1632810032450.png

 

cmr
Kind of a big deal
Kind of a big deal

@whistleblower that's interesting, on the one hand I can see you don't see the 15.42.3 option required, but on the other, you still have MS12.28.1 which is no longer an option for me.

 

It looks like Meraki maintain legacy stable versions in an organisation dashboard where they are upgrades, but not downgrades.  I have an MX HA pair as a VPN concentrator running 15.42, and you must have some 12.<28.1 switches...

 

In this case I'd ask support to apply 15.42.3 to your MX pair.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels