Thanks, but does the LTE connection build a VPN tunnel when in use (or is it just a plain unencrypted Internet connection). I know that seems like a stupid question; it doesn't seem like an Internet (only) connection would do much good for internal traffic and that internal (site to site) traffic would only work with a VPN tunnel but I have had two different people tell me otherwise. 

"That is what I am saying – no VPN tunnel. If you want to test, I would be more than happy to try."

 

Like I said, doesn't seem practical. What if I have a banking customer? If the WAN circuits at a branch both fail and the unit switches over to LTE, having an Internet only connection doesn't do them much good if the business critical traffic has no internal way to get back to key applications in the data center, phones can't register, etc. 

I just want to make sure the way I understood it is correct. 

Any connection (WAN connection) that the MX has (WAN 1/WAN 2/LTE) will form their own connection for VPN, if you have AutoVPN setup that is (mesh or hub/spoke).

Yup, what @NolanHerring said, but to add the tunnel on the cellular interface won't be established until the cell interface is made active.

Got it. Thanks. 

And I understand, there could be up to 300 seconds before failover occurs? Seems like I remember reading that somewhere. 

Not sure, the 300 you read is the failover time between wired WAN connections, you read it here:

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

or here:

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...

The 300 second number is only for indirect failures. If the MX loses link the fail is immediate.

Awesome! Thanks everyone! I hope everyone has a great weekend!

 

 

5 minutes seems an awful long time for fail-over, so I would question that. Best thing to do is test it, but anytime I've disconnected WAN 1, WAN 2 almost instantly kicks in, and usually do not see a ping drop. Keep in mind that active flows will need to re-establish though. Not sure if things change for LTE but I would imagine maybe like 5 to 10 seconds.

 

Here is an example of WAN 1 going down on MX-1, and WAN-1 on MX-2 kicking in. Granted this is warm-spare, but I would imagine failover for WAN1 to WAN2 on the same MX would be similar.

 

From my blog on warm-spare testing: 

https://nolanwifi.com/2018/10/25/you-down-with-l-t-e-yeah-you-know-me-raki/

 

 

---

@NolanHerring wrote:

5 minutes seems an awful long time for fail-over, so I would question that. Best thing to do is test it, but anytime I've disconnected WAN 1, WAN 2 almost instantly kicks in, and usually do not see a ping drop. Keep in mind that active flows will need to re-establish though. Not sure if things change for LTE but I would imagine maybe like 5 to 10 seconds.

---

The 300 seconds is worst case and also only applies on a soft-fail. So when the MX doesn't detect a link down!

Great input @BrechtSchamp @NolanHerring @jdsilva on previous replies.  @DDThompson Since it's a conversation involving SD-WAN and tertiary cellular backup, I'll also just add that the cellular backup is NOT part of the SD-WAN ruleset today.  Just in case that was a follow-up question you might hear, SD-WAN applies to WAN1/WAN2 only, today.  Notice I keep saying "today".  🙂  The wishes are coming in and an FR is in place for including cellular SD-WAN rules for certain use-cases to leverage cellular as a true 3rd SD-WAN interface, unfortunately there is no ETA at this time so keep an eye on the release notes later in 2019.

Thanks Nolan. Second guessing myself. Just needed some confirmation so I appreciate it. 

It just didn't make any sense of what I was being told but being that two different people said the same thing, I wanted to make sure it wasn't me that was incorrect (not that THAT has EVER happened (today, much less anytime else)).

I appreciate it.