Meraki

Community

Two MXs in HA: VIP on WAN2 questions

Solved
Miyo360
Getting noticed
‎Apr 16 2024 10:14 AM
‎Apr 16 2024 10:14 AM

Two MXs in HA: VIP on WAN2 questions

Hello,

I have a single MX75 and looking to add a 2nd for HA. Having read the docs I plan to use Virtual IPs as this offers seamless failover.

My WAN1 has 5 usable IPs, so I have the required 3 IPs available to configure one on Primary, one on Spare and one as the VIP. 

However, my WAN2 has only a single static IP. This part of the doc says the "security appliance will not behave correctly" if I don't configure a VIP for WAN2, yet in the same paragraph it says setting a VIP for WAN2 is optional. Huh?

How best to utilise a VIP with WAN1, whilst using a single IP on WAN2? 

Further down the doc, it talks about tertiary uplinks being configured on just the Spare. Perhaps I should configure the WAN2 just on the Spare MX then? How is this even done, as I understand the spare to just to effectively be a clone of the primary...?

Many thanks

Labels:
1 Accepted Solution
In response to Miyo360
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 17 2024 12:10 PM
‎Apr 17 2024 12:10 PM

>For inbound, we host an RDS deployment, which is widely used.

You don't need a VIP for this case.  The result is exactly the same either way.  MXs don't sync session state, so if their is a failover (either way) everyone will get disconnected.  Being RDP, the client is likely to auto-reconnect again.

>So, if we didn't use VIPs and just used the MX uplink IPs instead, is there an alternative way?

As long as you use an IP address out of your /29 (not assigned to a WAN interface), you don't need to do anything special.  It will failover between the MXs.

View solution in original post

0 Kudos
11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 10:26 AM
‎Apr 16 2024 10:26 AM

To configure Warm Spare you need at least two addresses (one for each MX) and 3 if you consider using vIP. What you can do in the case of WAN2 (if it is an option of course) is to use a NATed IP (Private IP), so you would somehow have to configure the ISP router to give it a NATed private IP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Ryan_Miles
Meraki Employee
Meraki Employee
‎Apr 16 2024 10:28 AM
‎Apr 16 2024 10:28 AM

Not sure if the behavior has changed over time, but if use of VIP is enabled both WAN 1 & 2 fields require an entry. This is what happens when you leave WAN 2 VIP blank.

mx75_ha.jpg

As for your second question the WAN 1 & 2 can be on different subnets on MX1 and MX2 if not using VIPs. Of course failover won't be as seamless as things like natted outbound flows, VPN tunnels, etc would change IPs when failing from MX1 to MX2.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Ryan_Miles
ww
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 10:47 AM
‎Apr 16 2024 10:47 AM

The "workaround" for this is (or was) go to the spare mx, and set the vip only for wan1.

I had a support case on this topic years ago. Seems like the documentation is still not clear enough. But the conclusion of support was , you should have 2 vips or none

0 Kudos
In response to ww
Ryan_Miles
Meraki Employee
Meraki Employee
‎Apr 16 2024 10:58 AM
‎Apr 16 2024 10:58 AM

I get the same error whether I attempt it on MX1 or MX2.

I've also requested a doc review as the note in there seems incorrect IMO.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Ryan_Miles
ww
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 11:02 AM
‎Apr 16 2024 11:02 AM

Wan2 on the primary had to be up, Wan2 on the spare had to be down(empty port).  But maybe they fixed that part

0 Kudos
In response to Ryan_Miles
Miyo360
Getting noticed
‎Apr 17 2024 2:29 AM
‎Apr 17 2024 2:29 AM

Hi Ryan. I agree, the docs seems incorrect, or unclear at least.  It clearly says the VIP for the secondary uplink is optional (source)

0 Kudos
In response to Ryan_Miles
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 11:46 AM
‎Apr 16 2024 11:46 AM

There was a change in behaviour about 2 years ago.  I used to use this feature, of configuring a VIP on a single WAN interface, and it worked fine.  Then it changed so you had to configure a VIP on both WAN interfaces.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 11:48 AM
‎Apr 16 2024 11:48 AM

I only use a VIP on maybe 10% of deployments.

Outbound web browsing doesn't need VIP for failover.  Non-Meraki site to site VPN does need it.  Microsoft and AnyConnect client VPN does not.  Can can use the VIP IP address for NAT, but I don't do that.  AutoVPN does not need it.

Are there any other features you are using?  Chances are you can just leave it turned off.

0 Kudos
In response to PhilipDAth
Miyo360
Getting noticed
‎Apr 17 2024 2:26 AM
‎Apr 17 2024 2:26 AM

Hi, thanks for the reply. I did consider which use cases a VIP is preferred. For outbound, we whitelist our MX public IP for a few hosted services, so these are not an issue as I could just whitelist the IPs for both MXs.

For inbound, we host an RDS deployment, which is widely used. This is configured on the MX as a 1:Many NAT. This NAT rule is configured for one of our /29 IPs, which is different to the IP of the MX itself. In order for seamless failover to occur for this service, I would need to configure the rule to use the VIP, correct? 

So, if we didn't use VIPs and just used the MX uplink IPs instead, is there an alternative way? We use Cloudflare for our  public DNS, so wonder if their load balancing feature would work for this? Helpful video here: https://dash.cloudflare.com/9ddb1f20a45146dd49b99387e8996483/pddinnovation.com/traffic/load-balancin...

Regarding Cloudflare's monitoring of the availability of "servers" in the load balancer, the supported protocols include HTTP, HTTPS, TCP, UDP, ICMP, ICMP ping, and SMTP. (source: include https://developers.cloudflare.com/load-balancing/monitors/)

0 Kudos
In response to Miyo360
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 17 2024 12:10 PM
‎Apr 17 2024 12:10 PM

>For inbound, we host an RDS deployment, which is widely used.

You don't need a VIP for this case.  The result is exactly the same either way.  MXs don't sync session state, so if their is a failover (either way) everyone will get disconnected.  Being RDP, the client is likely to auto-reconnect again.

>So, if we didn't use VIPs and just used the MX uplink IPs instead, is there an alternative way?

As long as you use an IP address out of your /29 (not assigned to a WAN interface), you don't need to do anything special.  It will failover between the MXs.

0 Kudos
In response to PhilipDAth
Miyo360
Getting noticed
‎Apr 17 2024 1:09 PM
‎Apr 17 2024 1:09 PM

@PhilipDAth wrote:

Being RDP, the client is likely to auto-reconnect again.

But...our RDP farm is accessed via a name like remote.company.com, which points one of our /29 addresses, not the MX address. Ah, OK, you're saying this doesn't matter, as... if the primary MX fails, the secondary will also know about the NAT rule and accept traffic. That makes sense. 

I'm really overthinking the VIP concept. Talking it through really helps. Much appreciated!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.