I have one pair of MX configured as Warm-Spare without WAN VIP.
On the AWS side, I've created two VPN Tunnel and each tunnel's peer is MX#1(with CGW#1) and MX#2(with CGW#2). When I did configuring, MX#2 was primary device.
According to MX's working mechanism, only primary device establish VPN connection. Thus, while AWS tries CGW#1<=> MX#1 and CGW#2 <=> MX#2, MX side tries MX#2 <=> CGW#1/2.
After configuring, VPN tunnel CGW#2 <=> MX#2 goes up and running well. Next hop for AWS VPC was CGW#2. I was able to ping to EC2 instance.
Problem comes up when failover occures.
After MX#1 became primary, MX#1 tries to establish VPN connection with CGW#1 and CGW#2. On the AWS side, still tries CGW#1<=> MX#1 and CGW#2 <=> MX#2. Therefore only VPN tunnel between CGW#1 <=> MX#1 comes up.
It looks ok on first sight. VPN tunnel for CGW#1 <=> MX#1 is up and CGW#2 <=> MX#2 is down. But I was unable to ping to EC2. When I checked routing table, next hop for AWS VPC was still CGW#2 untill remove CGW#2 <=> MX#2 from Non-Meraki VPN peer configuration or make MX#2 as primary. After MX#2 became primary again, everything back to normal and able to connect to EC2.
Is there any way to achive AWS <-> Meraki IPSec VPN redundancy with warm-spare configuration? I asked this situation to my local Cisco Meraki engineer, and he says that I have to configure WAN VIP to make it redundant. But if I do that, I can't achive ISP redundancy. Is WAN VIP only solution?
