Meraki

Community

Problems with secondary VPN on MX100 and a forti

ReyesPolanco
Here to help
Thursday
Thursday

Problems with secondary VPN on MX100 and a forti

I have a small problem. I currently have a primary VPN configured that works properly. However, I wanted to configure a secondary VPN with the same parameters, and it starts up but doesn't establish communication with the segments on the Forti side. I've run Forti with debugs, and there doesn't seem to be any problem. Is this a limitation of Meraki compared to other vendors? It's worth mentioning that we're using two links on both sides, and the primary VPN works fine.

Labels:
0 Kudos
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
Thursday
Thursday

When you say you are trying to establish a second VPN, I assume you mean to a different Fortinet firewall somewhere else?

 

You can only have a single VPN between a pair of devices.

0 Kudos
In response to PhilipDAth
GIdenJoe
Kind of a big deal
Kind of a big deal
Thursday
Thursday

If you have 2 WAN's on each side, wouldn't that be enough to create your secondary tunnel?
I know the intention of the feature is to work with 2 cloud entry points for any SASE solution but I'm just curious what would be the factor that prevents this from working.

0 Kudos
In response to PhilipDAth
ReyesPolanco
Here to help
Thursday
Thursday

I'm trying to set up two VPNs so that if WAN 1 goes down, WAN 2 will take over. However, when I simulate a WAN 1 outage, the secondary VPN comes back online but there's no traffic. Is this also not possible?

0 Kudos
ffiol
Comes here often
Friday
Friday

Hello,

I believe that with Non-Meraki VPN, it is not supported to have two VPNs against the same peer that are active-passive.

0 Kudos
In response to ffiol
alemabrahao
Kind of a big deal
Kind of a big deal
Friday
Friday

Hi, actually you can do that today, and even perform a health check. Take a look at the documentation.

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
AlexP
Meraki Employee
Meraki Employee
yesterday
yesterday

This is half-correct: this can be done, but unfortunately, MX100's cannot run MX19 firmware, which is the minimum version needed for routed tunnels w/health checks.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
Sunday
Sunday

I think I just got this.  Are you trying to create a non-Meraki IPSec VPN from the WAN2 interface on the MX?

 

You can't do that.  It always uses whatever the primary WAN interface is.

On the Fortinet side you can probably configure both VPNs, but only one will be up at a time.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.