Meraki Community

ABaker · ‎Jun 3 2023

I learned something this week and wanted to share. We turned up a site recently with 2 ISP's feeding a MX95. Failover testing was done by unplugging one ISP at a time, and all worked well.

This week, one ISP went into a suspended status, due to billing issue. This link was through .Internet 1. The other ISP continued working fine. However, in the dashboard, the site was down, but the users didn't experience any issues. After contacting Meraki support and talking with the working ISP, one of my co-workers came up with the bright idea to simply unplug the suspended ISP. That resolved the issue. We did test by connecting the Internet 1 link back to the suspended ISP, and the site went back to an unmanageable state.

Couple theories why it was working: One, the suspended ISP was blocking 443 & 80 traffic but VPN traffic could still function. Two, link up status on the suspended ISP was faking out the Meraki as it was not a hard failed link. As it stands now, when the billing issues are resolved, we'll plug the second link back in and monitor for any problems.

Any other theories?

GIdenJoe · ‎Jun 4 2023

Depending on the firmware version of your gear, you could be using UDP/7351 for cloud connectivity or TCP/443.towards the Meraki Cloud for manageability.

However the MX'es themselves use a 3 step uplink connection monitor (ICMP, DNS and an HTTP request(not HTTPS)) and if these are succesful the MX is in an UP state locally.

So I believe your ISP is only blocking TCP/443 traffic since that would be needed for the cloud connectivity part.

If you're doing a full tunnel for internet traffic then this would indeed not disrupt users. However local breakout should experience issues then unless that traffic was primarily directed to the other WAN.

Meraki Community

Site showing down in Dashboard, 1 ISP suspended, 1 ISP working, users operational

Site showing down in Dashboard, 1 ISP suspended, 1 ISP working, users operational