cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SDWAN - VPN Policy - Internet - Failover

SOLVED
Highlighted
Building a reputation

SDWAN - VPN Policy - Internet - Failover

Hi,

 

I have a question around SDWAN policy in Meraki. 

 

Scenario:

If you have your non critical VPN traffic over WAN2 (ADSL) and a performance class to fail this over to WAN1 (MPLS) should it hit 5%packet loss. 

 

  1. Active/Active VPN with no default route selected on hubs. 
  2. No internet flow preferences. 
  3. Primary uplink set to WAN2.
  4. Internet flows out of WAN2 not over the VPN. 

 

Q1:

If WAN2 has 5% packet loss and fails over to WAN1 would your internet traffic continue to go out of WAN2 or would that also fail to WAN1.

 

Thanks

Adam

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: SDWAN - VPN Policy - Internet - Failover

While you can use Performance Classes for VPN traffic you cannot use them for Internet destined traffic. For that the MX will use the Connection Monitor to decide when to fail traffic over:

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

 

In my lab testing the connection monitor doesn't reliably fail over traffic to another WAN link until you have about 70% loss on the link. Between 40%-70% you get unpredictable results, and below 40% it almost never fails over at all.

 

I have a feature request in to control the fail over of Internet traffic based on % loss, but as of yet it has not been implemented. 

View solution in original post

5 REPLIES 5
Highlighted
Kind of a big deal

Re: SDWAN - VPN Policy - Internet - Failover

Not 100% certain, but my guess in this scenario is that unless WAN2 actually goes down, that Internet traffic will still attempt to traverse the link.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Highlighted
Meraki Employee

Re: SDWAN - VPN Policy - Internet - Failover

The performance-based routing rules are consulted before the policy-based rules, so if you can establish VPN over both MPLS/ADSL interfaces as you described, and if the flow matches the performance rule, and you only have 1 path that satisfies that performance-based rule, then it'll ignore any policy-based rule and just go by the performance-based rule, and won't make it to the primary tunnel selection.  If a performance rule is NOT matched, it'll then check any policy-based rules and send out the flow based on whichever egress is specified by the policy, and if there's no actual policy-based rules it should fall through to the primary tunnel.

 

[Edit] I realized I typed up all that and remembered there's a good flowchart in the documentation here:  https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/... and I didn't touch on every permutation but hopefully the flowchart and the step-by-step walk-through helps clarify what I probably didn't above! 🙂 

Highlighted
Kind of a big deal

Re: SDWAN - VPN Policy - Internet - Failover

While you can use Performance Classes for VPN traffic you cannot use them for Internet destined traffic. For that the MX will use the Connection Monitor to decide when to fail traffic over:

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

 

In my lab testing the connection monitor doesn't reliably fail over traffic to another WAN link until you have about 70% loss on the link. Between 40%-70% you get unpredictable results, and below 40% it almost never fails over at all.

 

I have a feature request in to control the fail over of Internet traffic based on % loss, but as of yet it has not been implemented. 

View solution in original post

Highlighted
Building a reputation

Re: SDWAN - VPN Policy - Internet - Failover

Disappointing.

 

Thanks @MerakiDave and @jdsilva 

 

 

 

Highlighted
Building a reputation

Re: SDWAN - VPN Policy - Internet - Failover

@MerakiDave yikes, that is a wild document. Made me depressed. 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.