VPN Concentrator Deploymnet

isvc
New here

VPN Concentrator Deploymnet

Dear all,

 

 We recently deployed a pair of MXs (HA) at our datacenter(DC) and work as VPN concentrator. We though it works like a champ when swing over to the backup line for testing, and found out that the return traffic from DC to spoke is still travelling primary connection and hence there is Ascyn routing. 

 

  We suspect the servers in the DC  are returning the traffic follow the original route. So we hence change the route of the spoke to MX at the DC, the traffic become slow and unstable, it even show primary link down at the spoke. 

 

  May I know what is the correct approach? should we change the route of the spoke via DC MX (virtual IP)? 

 

thanks  

4 Replies 4
alemabrahao
Kind of a big deal
Kind of a big deal

Do you have a topology to share? Just to be clearer how your routing is doing.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
isvc
New here

sorry that I overlooked on  highlight the topology earlier.  

 

1. The org include 1 DC and 5 remote sites. The MPLS is interconnecting all 6 sites, each remote office have a cheap broadband connection as backup of the MPLS. 

2. DC has 2 x MX75 setup as HA. Configured as VPN Concentrator with 1 network cable to the core switch each. The MX75 have their physical IP each and a shared virtual IP, whoever served as primary will hold the virtual IP. DC has   MPLS WAN Link connecting to the 5 x remote sites. And an Internet leaseline for Internet connection. The coreswitch server as default gateway to the servers, it has a default route to Internet router and 5 x sites to MPLS router. 

3. 5 x remote sites each has a MX67, setup as routed mode, WAN 1 connect to the Internet broadband and WAN 2 connected to MPLS router. Users workstation are pointing MX67 as default gateway. 

 

The problem now is, We are unsure with such configuration, shall we change the default gateway of DC to the MX75 virtual IP? I just could not find the relevant information from the Internet. Hope to gain some advise from here.

PhilipDAth
Kind of a big deal
Kind of a big deal

You are talking about AutoVPN - right?

 

I assume when you "swung over to the backup line" you took down the primary line?  If you did, how was their async traffic?  If you left the primary circuit up - then using it in preference would be the correct thing for it to do.

isvc
New here

Yes, it is about Auto VPN, and we have yet to have a chance to un plug the primary line. We will do and revert.

Get notified when there are additional replies to this discussion.