Soft failure test / Internet traffic failover much slower than VPN traffic

Solved
suneq
Getting noticed

Soft failure test / Internet traffic failover much slower than VPN traffic

Hi,

My client has all their spokes configured with a basic topology: 1 MX + 2 ISP routers.

I recently did a soft failure test by disconnecting the WAN link of the primary ISP router.

What I noticed is the converge time of VPN traffic is much faster than Internet traffic. I tested with 3 sites and saw the same behavior: VPN traffic was back after 1-2 minutes but we should always wait for around 4-5 minutes to see our "ping 8.8.8.8" works again. I understood that in case of soft failure, the convergence time can be up to 5 minutes, what I do not understand is why the difference between VPN traffic and Internet traffic.

Could you help me to understand what happened please?

Thanks.

1 Accepted Solution
Bruce
Kind of a big deal

VPN failover is detected quickly in the scenario you’ve given, as even though it’s an indirect failure the VPN tunnel on that link goes down and is detected pretty quickly through the IPsec tunnel mechanisms, and so traffic can be routed over other VPN tunnels.

 

With the indirect failure and the straight internet link, the physical and layer 2 link doesn’t go down, so you have to wait for the other tests to timeout, which take the time.

View solution in original post

3 Replies 3
Bruce
Kind of a big deal

VPN failover is detected quickly in the scenario you’ve given, as even though it’s an indirect failure the VPN tunnel on that link goes down and is detected pretty quickly through the IPsec tunnel mechanisms, and so traffic can be routed over other VPN tunnels.

 

With the indirect failure and the straight internet link, the physical and layer 2 link doesn’t go down, so you have to wait for the other tests to timeout, which take the time.

suneq
Getting noticed

Hi @Bruce 

Thanks for your explanation. Is there any Meraki documentation in which I can find more details about the IPsec tunnel mechanisms you mentionned please (how it detects the failover, how long... etc.) Thanks.

 

Bruce
Kind of a big deal

This article has the failover times in it, https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/.... It mentions that tunnel performance is tested every second, but nothing more than that. I’m not sure if Meraki AutoVPN uses IPsec Dead Peer Detection, or a version of it (I expect it does) - there is plenty of information on the internet about that, but not sure what parameters Meraki use.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels