I have HA Merakis VPN'd to a SonicWall (changing this as soon as possible). I have 2 ISPs connected to the Meraki.
During testing, when I swap from HA1 to HA2, HA2 offers a different IP than HA1. The SonicWall VPN is configured for the HA1 IP address.
Also, the secondary IP on the SonicWall is set to connect with the secondary IP from the Meraki (ISP failover).
If I set both HA1 and HA2 to the same IP, I get a conflict. How do I overcome this?
Solved! Go to solution.
You need to use Virtual IP (VIP).
VIP addresses are shared by both the primary and warm spare appliance. Inbound and outbound traffic use this address to maintain the same IP address during a failover and reduce disruption. The virtual IPs are configured on the Security & SD-WAN > Monitor > Appliance status page, under the Spare section in the upper-left corner of the page. If two uplinks are configured, a VIP can be configured for each uplink. Each VIP must be in the same subnet as the IP addresses of both appliances for the uplink it is configured for, and it must be unique. In particular, it cannot be the same as either the primary or the warm spare's IP address.
You Need to configure a Virtual IP on the MX that will „float“ between those two and stay on the active one.
Thanks but no.
Went to Uplink. Edited spare to use virtual. Same IP range but different that anything already set. Was the Public IP supposed to change to match the new VIP set?
After setting virtual, the public never changed and my other firewall never re-established the tunnel. My failover then kicked in shortly after for my secondary IP source.
Can you show your configuration?
You need to use Virtual IP (VIP).
VIP addresses are shared by both the primary and warm spare appliance. Inbound and outbound traffic use this address to maintain the same IP address during a failover and reduce disruption. The virtual IPs are configured on the Security & SD-WAN > Monitor > Appliance status page, under the Spare section in the upper-left corner of the page. If two uplinks are configured, a VIP can be configured for each uplink. Each VIP must be in the same subnet as the IP addresses of both appliances for the uplink it is configured for, and it must be unique. In particular, it cannot be the same as either the primary or the warm spare's IP address.