Tag-Based IPsec VPN Failover

Solved
Fabian1
Getting noticed

Tag-Based IPsec VPN Failover

Hi everyone,

 

does this still work? https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover

 

I'm struggling with the point that I have to use a backup tag that doesn't exist on a network yet. I added two tags to the network with "primary up" and "backup down", but the documentation says I need to add the tag "backup up" to the vpn availability. How do I do that, because I can only add a tag that is already tagged on a network.

 

Thanks

Fabian

1 Accepted Solution
Fabian1
Getting noticed

The solution is a bit dirty

 

You have to add the tag <location_backup_up> to a network. Next you use that tag on the availability of the backup VPN.

 

Now you can remove the tag from the network again. The availability on the VPN will be blank, but if you use the script it will change the tag <primary_up> to down and <backup_down> to up. That will make the tag appear on the VPN and primary_up will disappear.

 

Added the script with some changes to an AWS Lambda, works great!

 

 

View solution in original post

5 Replies 5
Ryan_Miles
Meraki Employee
Meraki Employee

If I'm not mistaken the script is renaming the tag from whatever its default state is. So, the backup_up tag for example wouldn't normally exist until the script creates it based on detected loss.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Fabian1
Getting noticed

The solution is a bit dirty

 

You have to add the tag <location_backup_up> to a network. Next you use that tag on the availability of the backup VPN.

 

Now you can remove the tag from the network again. The availability on the VPN will be blank, but if you use the script it will change the tag <primary_up> to down and <backup_down> to up. That will make the tag appear on the VPN and primary_up will disappear.

 

Added the script with some changes to an AWS Lambda, works great!

 

 

Bilbo007
Just browsing

Hi @Fabian1, any chance you could share your AWS Lambda script for Meraki tag based failover? Thanks

 

Fabian1
Getting noticed

Here is the code. I simplified some of it. You need an S3 bucket to save the network and an EventBridge to call the script every minute. You can set the Meraki key in the parameters of the lambda function.
 
from encodings import utf_8
import requests, boto3, os, json

def lambda_handler(event, context😞

    api_key = os.environ['Meraki_Key']
    url = 'https://api.meraki.com/api/v0/organizations/[ORG ID]/uplinksLossAndLatency'
    header = {"X-Cisco-Meraki-API-Key": api_key, "Content-Type": "application/json"}
    response = requests.get(url,headers=header)
    s3 = boto3.client('s3')
    bucket='[S3 BUCKET]'
    key = 'networklist.txt'

    for network in response.json():
        if network['ip'] != '8.8.8.8' and network['uplink']=="wan1":
            print(network['networkId'])
            print(network['ip'])
            loss=False
            for iteration in network['timeSeries']:
                if int(0 if iteration['lossPercent'] is None else iteration['lossPercent']) >= 30:
                    loss=True
                    network_info = requests.get("https://api.meraki.com/api/v0/networks/"+network['networkId'], headers=header)
                    print(network_info.json()['name'])
                    tags = network_info.json()['tags'].split(' ')
                    if "_primary_down" in tags[1] or "_primary_down" in tags[2]:
                        print("VPN already swapped")
                        break
                    else:
                        #Ändern der Tags
                        print("Need to change VPN, recent loss - "+str(iteration['lossPercent']))
                        if "_primary_up" in tags[1]:
                            tags[1] = tags[1].split("_up")[0]+"_down"
                        if "_primary_up" in tags[2]:
                            tags[2] = tags[2].split("_up")[0]+"_down"
                        if "_backup_down" in tags[1]:
                            tags[1] = tags[1].split("_down")[0]+"_up"
                        if "_backup_down" in tags[2]:
                            tags[2] = tags[2].split("_down")[0]+"_up"
                        payload = {'tags': tags[2]+" "+tags[1]}
                        #Setzen der Tags
                        new_network_info = requests.put("https://api.meraki.com/api/v0/networks/"+network['networkId'], data=json.dumps(payload), headers=header)
                        #betroffenes Netzwerk wird in S3 Bucket geschrieben
                        s3.put_object(Body=s3.get_object(Bucket=bucket, Key=key)['Body'].read().decode('utf-8') + "\n" + network['networkId'], Bucket=bucket, Key=key)
                        break
            #Tags werden zurückgesetzt wenn Loss wieder auf 0 zurück geht
            if loss==False and network['networkId'] in s3.get_object(Bucket=bucket, Key=key)['Body'].read().decode('utf-8'😞
                print("Primary VPN healthy again..swapping back")
                network_info = requests.get("https://api.meraki.com/api/v0/networks/"+network['networkId'], headers=header)
                tags = network_info.json()['tags'].split(' ')
                if "_primary_down" in tags[1]:
                    tags[1] = tags[1].split("_down")[0]+"_up"
                if "_primary_down" in tags[2]:
                    tags[2] = tags[2].split("_down")[0]+"_up"
                if "_backup_up" in tags[1]:
                    tags[1] = tags[1].split("_up")[0]+"_down"
                if "_backup_up" in tags[2]:
                    tags[2] = tags[2].split("_up")[0]+"_down"        
                payload = {'tags': tags[1]+" "+tags[2]}
                #Setzen der Tags
                new_network_info = requests.put("https://api.meraki.com/api/v0/networks/"+network['networkId'], data=json.dumps(payload), headers=header)
                #Netzwerk wird von S3 Bucket gelöscht
                s3.put_object(Body="", Bucket=bucket, Key=key)
               
        print("Sleeping for 30s...")
Tarmahmood1
Getting noticed

Hi @Fabian1  i am going to have warm spare MX with ISP2 public IP. One non meraki vpn tunnel is established to our Csr1000v1 in azure, and from warm spare i want to establish tunnel to CSR1000v2. I have no idea, where do you deploy the scrpt primary_link up and backup_up. Is it at meraki side or will be in Azure. I am new to this API thing. If you can share steps so that i will follow them to implement. Thanks

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels