VPN Concentrator (HUB, SPOKE) Behavior During Connection Loss to Cisco Meraki Cloud

Solved
MakaraMEAS
Getting noticed

VPN Concentrator (HUB, SPOKE) Behavior During Connection Loss to Cisco Meraki Cloud

Dear Community,

I have question to clarify with you regarding to VPN Concentrator Behavior During Connection Loss to Cisco Meraki Cloud. I am not sure about process and time if MX Meraki Cloud down (internet down) but DPLC from MX spoke(branch) to MX hub(HQ) is working fine. I found this document but not fully information to understand, I heard that if loss connection to Meraki Cloud it will take up to 15 minutes, if it trigger still it will terminate the VPN. Kindly share me the link or reference as well if you have nah.
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Behavior_during_Conne...
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Failover_Behavior

Thanks,
Makara

M.MAKARA
1 Accepted Solution
cmr
Kind of a big deal
Kind of a big deal

If the Meraki cloud, or more importantly access to the VPN registry part of it, is lost then the following should happen:

 

  • Existing VPN connections should remain up
  • New VPN connections cannot be established

There isn't a timeout on this as far as I am aware.

 

for example:

 

  • You have Meraki devices talking over an MPLS circuit that has internet breakout allowing them to talk to the cloud / registry. 
  • The internet breakout goes down, but the MPLS stays up
  • The VPN should stay up, but it wouldn't re-establish if there was any outage before the internet access returned.
If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

7 Replies 7
cmr
Kind of a big deal
Kind of a big deal

If the Meraki cloud, or more importantly access to the VPN registry part of it, is lost then the following should happen:

 

  • Existing VPN connections should remain up
  • New VPN connections cannot be established

There isn't a timeout on this as far as I am aware.

 

for example:

 

  • You have Meraki devices talking over an MPLS circuit that has internet breakout allowing them to talk to the cloud / registry. 
  • The internet breakout goes down, but the MPLS stays up
  • The VPN should stay up, but it wouldn't re-establish if there was any outage before the internet access returned.
If my answer solves your problem please click Accept as Solution so others can benefit from it.
MakaraMEAS
Getting noticed

Thank  you, when MX cannot reach to VPN registry or Meraki Cloud the existing VPN peer over DPLC/MPLS still up normal? It is still up or it had period time-out when MX detect no connection to VPN registry?

M.MAKARA
MakaraMEAS
Getting noticed

MakaraMEAS_0-1649042046268.png

You can check my diagram for detail, MX spoke VPN to HUB1 and HUB2. So when spoke no connection VPN Registry or Internet? VPN via MPLS/DPLC still working fine?

M.MAKARA
cmr
Kind of a big deal
Kind of a big deal

The existing connections should stay up, but if they do go down, then they will not re-establish until the access to the Meraki cloud VPN registry has been restored.  In our case we can take down our internet access at the main DC and we don't see any interruption to the site-to-site connections over the MPLS.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
MakaraMEAS
Getting noticed

Okay thank you, let me test it soon. If this is okay as discuss will accept this as the solution.

M.MAKARA
MakaraMEAS
Getting noticed

You mentioned correctly.
1. If we disconnect internet for DC HUB, VPN still up and user traffic still can forward normal.
2. If MX DC HUB and SPOKE use internet the same connection (DPLC or MPLS NAT to Internet the same ISP), it will be retries to Cloud same time. As I notice VPN will be down after 5 minutes after internet connection down.
Please correct me if I am wrong.

 

M.MAKARA
MakaraMEAS
Getting noticed

Could you advise and confirm ? is the VPN over MPLS/DPLC still working normal if MX hasn't connection to VPN registry or hasn't internet (Cloud Manage)?

M.MAKARA
Get notified when there are additional replies to this discussion.