Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Two MXs in HA: VIP on WAN2 questions

Solved
Miyo360
Getting noticed
2 weeks ago
2 weeks ago

Two MXs in HA: VIP on WAN2 questions

Hello,

I have a single MX75 and looking to add a 2nd for HA. Having read the docs I plan to use Virtual IPs as this offers seamless failover.

My WAN1 has 5 usable IPs, so I have the required 3 IPs available to configure one on Primary, one on Spare and one as the VIP. 

However, my WAN2 has only a single static IP. This part of the doc says the "security appliance will not behave correctly" if I don't configure a VIP for WAN2, yet in the same paragraph it says setting a VIP for WAN2 is optional. Huh?

How best to utilise a VIP with WAN1, whilst using a single IP on WAN2? 

Further down the doc, it talks about tertiary uplinks being configured on just the Spare. Perhaps I should configure the WAN2 just on the Spare MX then? How is this even done, as I understand the spare to just to effectively be a clone of the primary...?

Many thanks

Labels:
Subscribe
1 Accepted Solution
In response to Miyo360
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

>For inbound, we host an RDS deployment, which is widely used.

You don't need a VIP for this case.  The result is exactly the same either way.  MXs don't sync session state, so if their is a failover (either way) everyone will get disconnected.  Being RDP, the client is likely to auto-reconnect again.

>So, if we didn't use VIPs and just used the MX uplink IPs instead, is there an alternative way?

As long as you use an IP address out of your /29 (not assigned to a WAN interface), you don't need to do anything special.  It will failover between the MXs.

View solution in original post

0 Kudos
Subscribe
11 Replies 11
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

To configure Warm Spare you need at least two addresses (one for each MX) and 3 if you consider using vIP. What you can do in the case of WAN2 (if it is an option of course) is to use a NATed IP (Private IP), so you would somehow have to configure the ISP router to give it a NATed private IP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
Ryan_Miles
Meraki Employee
Meraki Employee
2 weeks ago
2 weeks ago

Not sure if the behavior has changed over time, but if use of VIP is enabled both WAN 1 & 2 fields require an entry. This is what happens when you leave WAN 2 VIP blank.

mx75_ha.jpg

As for your second question the WAN 1 & 2 can be on different subnets on MX1 and MX2 if not using VIPs. Of course failover won't be as seamless as things like natted outbound flows, VPN tunnels, etc would change IPs when failing from MX1 to MX2.

Subscribe
In response to Ryan_Miles
ww
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

The "workaround" for this is (or was) go to the spare mx, and set the vip only for wan1.

I had a support case on this topic years ago. Seems like the documentation is still not clear enough. But the conclusion of support was , you should have 2 vips or none

0 Kudos
Subscribe
In response to ww
Ryan_Miles
Meraki Employee
Meraki Employee
2 weeks ago
2 weeks ago

I get the same error whether I attempt it on MX1 or MX2.

I've also requested a doc review as the note in there seems incorrect IMO.

0 Kudos
Subscribe
In response to Ryan_Miles
ww
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Wan2 on the primary had to be up, Wan2 on the spare had to be down(empty port).  But maybe they fixed that part

0 Kudos
Subscribe
In response to Ryan_Miles
Miyo360
Getting noticed
2 weeks ago
2 weeks ago

Hi Ryan. I agree, the docs seems incorrect, or unclear at least.  It clearly says the VIP for the secondary uplink is optional (source)

0 Kudos
Subscribe
In response to Ryan_Miles
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

There was a change in behaviour about 2 years ago.  I used to use this feature, of configuring a VIP on a single WAN interface, and it worked fine.  Then it changed so you had to configure a VIP on both WAN interfaces.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

I only use a VIP on maybe 10% of deployments.

Outbound web browsing doesn't need VIP for failover.  Non-Meraki site to site VPN does need it.  Microsoft and AnyConnect client VPN does not.  Can can use the VIP IP address for NAT, but I don't do that.  AutoVPN does not need it.

Are there any other features you are using?  Chances are you can just leave it turned off.

0 Kudos
Subscribe
In response to PhilipDAth
Miyo360
Getting noticed
2 weeks ago
2 weeks ago

Hi, thanks for the reply. I did consider which use cases a VIP is preferred. For outbound, we whitelist our MX public IP for a few hosted services, so these are not an issue as I could just whitelist the IPs for both MXs.

For inbound, we host an RDS deployment, which is widely used. This is configured on the MX as a 1:Many NAT. This NAT rule is configured for one of our /29 IPs, which is different to the IP of the MX itself. In order for seamless failover to occur for this service, I would need to configure the rule to use the VIP, correct? 

So, if we didn't use VIPs and just used the MX uplink IPs instead, is there an alternative way? We use Cloudflare for our  public DNS, so wonder if their load balancing feature would work for this? Helpful video here: https://dash.cloudflare.com/9ddb1f20a45146dd49b99387e8996483/pddinnovation.com/traffic/load-balancin...

Regarding Cloudflare's monitoring of the availability of "servers" in the load balancer, the supported protocols include HTTP, HTTPS, TCP, UDP, ICMP, ICMP ping, and SMTP. (source: include https://developers.cloudflare.com/load-balancing/monitors/)

0 Kudos
Subscribe
In response to Miyo360
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

>For inbound, we host an RDS deployment, which is widely used.

You don't need a VIP for this case.  The result is exactly the same either way.  MXs don't sync session state, so if their is a failover (either way) everyone will get disconnected.  Being RDP, the client is likely to auto-reconnect again.

>So, if we didn't use VIPs and just used the MX uplink IPs instead, is there an alternative way?

As long as you use an IP address out of your /29 (not assigned to a WAN interface), you don't need to do anything special.  It will failover between the MXs.

0 Kudos
Subscribe
In response to PhilipDAth
Miyo360
Getting noticed
2 weeks ago
2 weeks ago

@PhilipDAth wrote:

Being RDP, the client is likely to auto-reconnect again.

But...our RDP farm is accessed via a name like remote.company.com, which points one of our /29 addresses, not the MX address. Ah, OK, you're saying this doesn't matter, as... if the primary MX fails, the secondary will also know about the NAT rule and accept traffic. That makes sense. 

I'm really overthinking the VIP concept. Talking it through really helps. Much appreciated!

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.