Meraki

mvalpreda · ‎Nov 8 2023

I know how to set up the virtual IP address on the WAN side for 2x MX devices in HA - 1 public IP per device and another IP address for the virtual IP.

If I am using AnyConnect, where should the clients connect? The DNS name that comes up for the virtual IP address in the dashboard?

Should there be [near] zero downtime with anything on the one-to-one or one-to-many NAT rules if there is a failover event?

alemabrahao · ‎Nov 8 2023

The address that must be considered is that of the VIP. As for the time of the failover event, it is transparent to the user, it should lose a maximum of 2 or 3 pings.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth · ‎Nov 9 2023

>The DNS name that comes up for the virtual IP address in the dashboard?

Correct. Otherwise the automatic certificate name won't match.

>Should there be [near] zero downtime with anything on the one-to-one or one-to-many NAT rules if there is a failover event?

No state is synced between the two MX. When a failover happens, all connections are dropped and must be made again. In the case of AnyConnect, users need to reconnect.

alemabrahao · ‎Nov 9 2023

@PhilipDAth I've already done several failover tests and I didn't have any problems, it was practically transparent, at most 2 or 3 pings were lost.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

PhilipDAth · ‎Nov 9 2023

Try a long-running TCP connection, like a download. You'll see that it fails.

But I agree, it is not noticeable for most things. Userw mostly use their web browser these days and expect to just click reload.

mvalpreda · ‎Nov 9 2023

Failover tests on the VPN? Or something else?

alemabrahao · ‎Nov 9 2023

Tests on local LAN and S2S VPN. Client VPN is necessary to reconnect as mentioned by @PhilipDAth .

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

mvalpreda · ‎Nov 9 2023

Thanks for that info.

One firewall rules for other one-to-one NATs, is that using a virtual MAC address between the two devices?

For instance, I have WAN for MX1, WAN for MX2, and then the VIP for that. I have other NAT rules for the rest of the /29 block - one of those being SIP.

Am I going to have a problem with upstream ARP cache? Or does it use a virtual MAC address like I read about?

geektoyz · ‎Jan 23 2025

Sorry for post to old chat. Do the MX75 appliances support HA pair? Seems we had a sales call last year sometime where we were told MX85 or higher was needed for HA pair. I don't see info here:

https://documentation.meraki.com/MX/MX_Overviews_and_Specifications/MX75_Datasheet

or here

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair

PhilipDAth · ‎Jan 23 2025

They support HA.

geektoyz · ‎Jan 23 2025

Awesome! thanks Phil.

Meraki

Community

Questions about VPN and NATs with 2x MX75 in HA pair

Questions about VPN and NATs with 2x MX75 in HA pair

MX75 HA/Failover Configuration and Licensing

MX105 HA PAIR || Routed Mode || VRRP Flapping || Dual -active

Cisco Meraki Client VPN behind Nat Router

MX HA pair swap out procedure

MX75 HA