Questions about VPN and NATs with 2x MX75 in HA pair

mvalpreda
Getting noticed

Questions about VPN and NATs with 2x MX75 in HA pair

I know how to set up the virtual IP address on the WAN side for 2x MX devices in HA - 1 public IP per device and another IP address for the virtual IP.

 

If I am using AnyConnect, where should the clients connect? The DNS name that comes up for the virtual IP address in the dashboard? 

 

Should there be [near] zero downtime with anything on the one-to-one or one-to-many NAT rules if there is a failover event?

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

The address that must be considered is that of the VIP. As for the time of the failover event, it is transparent to the user, it should lose a maximum of 2 or 3 pings.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

>The DNS name that comes up for the virtual IP address in the dashboard? 

 

Correct.  Otherwise the automatic certificate name won't match.

 

>Should there be [near] zero downtime with anything on the one-to-one or one-to-many NAT rules if there is a failover event?

 

No state is synced between the two MX.  When a failover happens, all connections are dropped and must be made again.  In the case of AnyConnect, users need to reconnect.

@PhilipDAth  I've already done several failover tests and I didn't have any problems, it was practically transparent, at most 2 or 3 pings were lost.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Try a long-running TCP connection, like a download.  You'll see that it fails.

 

But I agree, it is not noticeable for most things.  Userw mostly use their web browser these days and expect to just click reload.

Failover tests on the VPN? Or something else?

Tests on local LAN and S2S VPN. Client VPN is necessary to reconnect as mentioned by @PhilipDAth .

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks for that info.

One firewall rules for other one-to-one NATs, is that using a virtual MAC address between the two devices?

For instance, I have WAN for MX1, WAN for MX2, and then the VIP for that. I have other NAT rules for the rest of the /29 block - one of those being SIP.

Am I going to have a problem with upstream ARP cache? Or does it use a virtual MAC address like I read about?

Get notified when there are additional replies to this discussion.