Meraki

Community

Status / info about when multiple AutoVPN paths between MX's (Private and Public)

Frank-NL
Getting noticed
a week ago
a week ago

Status / info about when multiple AutoVPN paths between MX's (Private and Public)

Hi,

 

 

We have two warm spare sets in our DC's, MX-A and MX-B. They are set as VPN concentrators, as hubs connected to spoke sites and each other. The two DCs have an interconnection, and MX-A and B can reach each other over their Lan IP as well as over their internet NAT IP.

 

When I do packet captures I can see and confirm the A and B site are actually communicating with each other over AutoVPN UDP ports. I can see traffic over the Lan IP adresses and also over the NAT Wan IP addresses (green dotted lines on diagram included).

 

Is there any way to check / confirm which path is actually active? It seems the MX is keeping tunnels up on both paths, but I can't find anything in the dashboard so far to confirm this.

 

 

I found below online, which makes sense. But is there any way to get insight in to which paths are available and active:

 

"For each MX, the cloud decides whether to use its interface (potentially private) or public IP address to establish a secure VPN tunnel. When possible, an MX’s WAN IP address will be used; this can provide shorter VPN paths between peer MXs (e.g. when multiple VPN peers are connected through MPLS to a primary data center, and from there, out to the Internet)"

 

 

 

FrankNL_0-1743536411096.png

 

 

Thanks,
Frank

Labels:
0 Kudos
12 Replies 12
alemabrahao
Kind of a big deal
a week ago
a week ago

I see two ways to confirm, the first is through the VPN Status page, where you can even apply some filters, such as a specific IP.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Status_Page

 

And another is using a packet capture.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Frank-NL
Getting noticed
a week ago
a week ago

Note that I want to see the status with multiple paths over single Wan interfaces (VPN Concentrator -> VPN Concentrator)

 

 

Packet capture works as a mentioned, but shows but paths are active. But this gives no info on path selection status etc.

 

None is visible on the VPN status page.

 

0 Kudos
In response to Frank-NL
alemabrahao
Kind of a big deal
a week ago
a week ago

Unfortunately, these are the only possible forms available.

If you need greater granularity, you may want to contact Meraki support, or make a feature request.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
Frank-NL
Getting noticed
a week ago
a week ago

Thanks I will open a case and report results here

0 Kudos
RaphaelL
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Would the event logs show that the VPN is established with the private IP rather than the public IP ?

0 Kudos
In response to RaphaelL
Frank-NL
Getting noticed
a week ago
a week ago

Unfortunately the event log refers the the "peer_contact" public ip/port , even when internal connection

0 Kudos
In response to Frank-NL
RaphaelL
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Then I would guess that the API endpoits such as getOrganizationApplianceVpnStatuses will also display the public IPs and not the private ones

In response to RaphaelL
Frank-NL
Getting noticed
a week ago
a week ago

Yes good point, I checked Statuses and Stats but no info

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

https://meraki.cisco.com/blog/2018/06/all-about-autovpn/

 

"If the two MX’s public IP addresses match, then the MXs in question are in the same private network. As such, they should route to one another via their interface IP addresses"

 

If they share a common public IP they will communicate directly with their private IP addresses.

In response to PhilipDAth
Frank-NL
Getting noticed
a week ago
a week ago

My question is about checking the status or availability.

Packet capture shows both on public as on private tunnels are active.

THe two MX's clearly don't hold the same IP

0 Kudos
IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
a week ago
a week ago

Hi @Frank-NL ,

 

It sounds like you after how routing decisions are made. Have a look at the below guide. It explains how traffic destined for an address for which multiple routes exist will be routed in the order of priority. 

 

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Route_Priority

 


Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
In response to IvanJukic
Frank-NL
Getting noticed
a week ago
a week ago

Hi, thanks but there is no mention about order/priority and monitoring the status when there are multiple AutoVPN paths, internal and external, between VPN concentrators.

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.