Hi All, 

I have a scenario where the MX concentrator is behind A firewall that has dual Internet underlay. The underlay has separate IP range. Which underlay does the concentrator take? I understand that the spokes can decide HUB priority but if there are 2 underlay how does Meraki platform operate. 


Thank you in advance. 

Great question! 

The answer is upstream... Whatever your firewall is configured to NAT the concentrator's RCF1918 address to a public address will be its internet egress point. Plug it in! The MX will start UDP hole punching outbound, or you can manually configure a static IP:Port so that you can keep a clean firewall rule policy. 

For more information, refer to this doc: https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide 


Hi DashboardDunce,

Thank you. I have seen the link below but will do a detailed read this evening. How long does it take for the MX concentrator realize the primary link has failed and fail over to the next link? I am also going to have a secondary DR location with MX concentrator which the spokes will point as a secondary HUB. I would like to make sure that the spoke sites do not fail over to the secondary HUB unless and until both the internet underlay fails at the primary HUB. 

It need to rebuild all the tunnels from and to the other wan IP, so traffic from spoke will use 2nd hub for some period.   If you dont use dynamic routing on the hub you could use routed mode and use 2 wan interfaces

