Meraki

Community

SDWAN - VPN Policy - Internet - Failover

Solved
Adoos
Building a reputation
‎Mar 26 2019 5:29 PM
‎Mar 26 2019 5:29 PM

SDWAN - VPN Policy - Internet - Failover

Hi,

 

I have a question around SDWAN policy in Meraki. 

 

Scenario:

If you have your non critical VPN traffic over WAN2 (ADSL) and a performance class to fail this over to WAN1 (MPLS) should it hit 5%packet loss. 

 

  1. Active/Active VPN with no default route selected on hubs. 
  2. No internet flow preferences. 
  3. Primary uplink set to WAN2.
  4. Internet flows out of WAN2 not over the VPN. 

 

Q1:

If WAN2 has 5% packet loss and fails over to WAN1 would your internet traffic continue to go out of WAN2 or would that also fail to WAN1.

 

Thanks

Adam

 

 

0 Kudos
1 Accepted Solution
In response to MerakiDave
jdsilva
Kind of a big deal
‎Mar 27 2019 7:06 AM
‎Mar 27 2019 7:06 AM

While you can use Performance Classes for VPN traffic you cannot use them for Internet destined traffic. For that the MX will use the Connection Monitor to decide when to fail traffic over:

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

 

In my lab testing the connection monitor doesn't reliably fail over traffic to another WAN link until you have about 70% loss on the link. Between 40%-70% you get unpredictable results, and below 40% it almost never fails over at all.

 

I have a feature request in to control the fail over of Internet traffic based on % loss, but as of yet it has not been implemented. 

http://blog.brokennetwork.ca | @jdsilva

View solution in original post

5 Replies 5
NolanHerring
Kind of a big deal
‎Mar 26 2019 6:36 PM
‎Mar 26 2019 6:36 PM

Not 100% certain, but my guess in this scenario is that unless WAN2 actually goes down, that Internet traffic will still attempt to traverse the link.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
MerakiDave
Meraki Employee
Meraki Employee
‎Mar 26 2019 9:27 PM
‎Mar 26 2019 9:27 PM

The performance-based routing rules are consulted before the policy-based rules, so if you can establish VPN over both MPLS/ADSL interfaces as you described, and if the flow matches the performance rule, and you only have 1 path that satisfies that performance-based rule, then it'll ignore any policy-based rule and just go by the performance-based rule, and won't make it to the primary tunnel selection.  If a performance rule is NOT matched, it'll then check any policy-based rules and send out the flow based on whichever egress is specified by the policy, and if there's no actual policy-based rules it should fall through to the primary tunnel.

 

[Edit] I realized I typed up all that and remembered there's a good flowchart in the documentation here:  https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/... and I didn't touch on every permutation but hopefully the flowchart and the step-by-step walk-through helps clarify what I probably didn't above! 🙂 

In response to MerakiDave
jdsilva
Kind of a big deal
‎Mar 27 2019 7:06 AM
‎Mar 27 2019 7:06 AM

While you can use Performance Classes for VPN traffic you cannot use them for Internet destined traffic. For that the MX will use the Connection Monitor to decide when to fail traffic over:

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

 

In my lab testing the connection monitor doesn't reliably fail over traffic to another WAN link until you have about 70% loss on the link. Between 40%-70% you get unpredictable results, and below 40% it almost never fails over at all.

 

I have a feature request in to control the fail over of Internet traffic based on % loss, but as of yet it has not been implemented. 

http://blog.brokennetwork.ca | @jdsilva
In response to jdsilva
Adoos
Building a reputation
‎Mar 27 2019 3:24 PM
‎Mar 27 2019 3:24 PM

Disappointing.

 

Thanks @MerakiDave and @jdsilva 

 

 

 

0 Kudos
In response to MerakiDave
Adoos
Building a reputation
‎Mar 27 2019 3:28 PM
‎Mar 27 2019 3:28 PM

@MerakiDave yikes, that is a wild document. Made me depressed. 

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.