Secondary of Meraki HA Config Offers Different IP that other VPN'd Firewall Does Not Recognize

Solved
MarcW
Here to help

Secondary of Meraki HA Config Offers Different IP that other VPN'd Firewall Does Not Recognize

I have HA Merakis VPN'd to a SonicWall (changing this as soon as possible).  I have 2 ISPs connected to the Meraki. 

 

During testing, when I swap from HA1 to HA2, HA2 offers a different IP than HA1.  The SonicWall VPN is configured for the HA1 IP address. 

 

Also, the secondary IP on the SonicWall is set to connect with the secondary IP from the Meraki (ISP failover). 

 

If I set both HA1 and HA2 to the same IP, I get a conflict.  How do I overcome this? 

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

You need to use Virtual IP (VIP).

 

WAN Virtual IPs 

VIP addresses are shared by both the primary and warm spare appliance. Inbound and outbound traffic use this address to maintain the same IP address during a failover and reduce disruption. The virtual IPs are configured on the Security & SD-WAN > Monitor > Appliance status page, under the Spare section in the upper-left corner of the page. If two uplinks are configured, a VIP can be configured for each uplink. Each VIP must be in the same subnet as the IP addresses of both appliances for the uplink it is configured for, and it must be unique. In particular, it cannot be the same as either the primary or the warm spare's IP address.

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#WAN_Vir...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

4 Replies 4
CptnCrnch
Kind of a big deal
Kind of a big deal

You Need to configure a Virtual IP on the MX that will „float“ between those two and stay on the active one.

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#Virtual...

MarcW
Here to help

Thanks but no. 

 

Went to Uplink.  Edited spare to use virtual.  Same IP range but different that anything already set.  Was the Public IP supposed to change to match the new VIP set? 

 

After setting virtual, the public never changed and my other firewall never re-established the tunnel.  My failover then kicked in shortly after for my secondary IP source. 

alemabrahao
Kind of a big deal
Kind of a big deal

Can you show your configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

You need to use Virtual IP (VIP).

 

WAN Virtual IPs 

VIP addresses are shared by both the primary and warm spare appliance. Inbound and outbound traffic use this address to maintain the same IP address during a failover and reduce disruption. The virtual IPs are configured on the Security & SD-WAN > Monitor > Appliance status page, under the Spare section in the upper-left corner of the page. If two uplinks are configured, a VIP can be configured for each uplink. Each VIP must be in the same subnet as the IP addresses of both appliances for the uplink it is configured for, and it must be unique. In particular, it cannot be the same as either the primary or the warm spare's IP address.

 

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#WAN_Vir...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels