Tag-Based IPsec VPN Failover

SOLVED
Fabian1
Getting noticed

Tag-Based IPsec VPN Failover

Hi everyone,

 

does this still work? https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover

 

I'm struggling with the point that I have to use a backup tag that doesn't exist on a network yet. I added two tags to the network with "primary up" and "backup down", but the documentation says I need to add the tag "backup up" to the vpn availability. How do I do that, because I can only add a tag that is already tagged on a network.

 

Thanks

Fabian

1 ACCEPTED SOLUTION
Fabian1
Getting noticed

The solution is a bit dirty

 

You have to add the tag <location_backup_up> to a network. Next you use that tag on the availability of the backup VPN.

 

Now you can remove the tag from the network again. The availability on the VPN will be blank, but if you use the script it will change the tag <primary_up> to down and <backup_down> to up. That will make the tag appear on the VPN and primary_up will disappear.

 

Added the script with some changes to an AWS Lambda, works great!

 

 

View solution in original post

4 REPLIES 4
Ryan_Miles
Meraki Employee

If I'm not mistaken the script is renaming the tag from whatever its default state is. So, the backup_up tag for example wouldn't normally exist until the script creates it based on detected loss.

Fabian1
Getting noticed

The solution is a bit dirty

 

You have to add the tag <location_backup_up> to a network. Next you use that tag on the availability of the backup VPN.

 

Now you can remove the tag from the network again. The availability on the VPN will be blank, but if you use the script it will change the tag <primary_up> to down and <backup_down> to up. That will make the tag appear on the VPN and primary_up will disappear.

 

Added the script with some changes to an AWS Lambda, works great!

 

 

Hi @Fabian1, any chance you could share your AWS Lambda script for Meraki tag based failover? Thanks

 

Here is the code. I simplified some of it. You need an S3 bucket to save the network and an EventBridge to call the script every minute. You can set the Meraki key in the parameters of the lambda function.
 
from encodings import utf_8
import requests, boto3, os, json

def lambda_handler(event, context😞

    api_key = os.environ['Meraki_Key']
    url = 'https://api.meraki.com/api/v0/organizations/[ORG ID]/uplinksLossAndLatency'
    header = {"X-Cisco-Meraki-API-Key": api_key, "Content-Type": "application/json"}
    response = requests.get(url,headers=header)
    s3 = boto3.client('s3')
    bucket='[S3 BUCKET]'
    key = 'networklist.txt'

    for network in response.json():
        if network['ip'] != '8.8.8.8' and network['uplink']=="wan1":
            print(network['networkId'])
            print(network['ip'])
            loss=False
            for iteration in network['timeSeries']:
                if int(0 if iteration['lossPercent'] is None else iteration['lossPercent']) >= 30:
                    loss=True
                    network_info = requests.get("https://api.meraki.com/api/v0/networks/"+network['networkId'], headers=header)
                    print(network_info.json()['name'])
                    tags = network_info.json()['tags'].split(' ')
                    if "_primary_down" in tags[1] or "_primary_down" in tags[2]:
                        print("VPN already swapped")
                        break
                    else:
                        #Ändern der Tags
                        print("Need to change VPN, recent loss - "+str(iteration['lossPercent']))
                        if "_primary_up" in tags[1]:
                            tags[1] = tags[1].split("_up")[0]+"_down"
                        if "_primary_up" in tags[2]:
                            tags[2] = tags[2].split("_up")[0]+"_down"
                        if "_backup_down" in tags[1]:
                            tags[1] = tags[1].split("_down")[0]+"_up"
                        if "_backup_down" in tags[2]:
                            tags[2] = tags[2].split("_down")[0]+"_up"
                        payload = {'tags': tags[2]+" "+tags[1]}
                        #Setzen der Tags
                        new_network_info = requests.put("https://api.meraki.com/api/v0/networks/"+network['networkId'], data=json.dumps(payload), headers=header)
                        #betroffenes Netzwerk wird in S3 Bucket geschrieben
                        s3.put_object(Body=s3.get_object(Bucket=bucket, Key=key)['Body'].read().decode('utf-8') + "\n" + network['networkId'], Bucket=bucket, Key=key)
                        break
            #Tags werden zurückgesetzt wenn Loss wieder auf 0 zurück geht
            if loss==False and network['networkId'] in s3.get_object(Bucket=bucket, Key=key)['Body'].read().decode('utf-8'😞
                print("Primary VPN healthy again..swapping back")
                network_info = requests.get("https://api.meraki.com/api/v0/networks/"+network['networkId'], headers=header)
                tags = network_info.json()['tags'].split(' ')
                if "_primary_down" in tags[1]:
                    tags[1] = tags[1].split("_down")[0]+"_up"
                if "_primary_down" in tags[2]:
                    tags[2] = tags[2].split("_down")[0]+"_up"
                if "_backup_up" in tags[1]:
                    tags[1] = tags[1].split("_up")[0]+"_down"
                if "_backup_up" in tags[2]:
                    tags[2] = tags[2].split("_up")[0]+"_down"        
                payload = {'tags': tags[1]+" "+tags[2]}
                #Setzen der Tags
                new_network_info = requests.put("https://api.meraki.com/api/v0/networks/"+network['networkId'], data=json.dumps(payload), headers=header)
                #Netzwerk wird von S3 Bucket gelöscht
                s3.put_object(Body="", Bucket=bucket, Key=key)
               
        print("Sleeping for 30s...")
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels