Meraki

Community

VPN Tunnel down after we swap to new ISP

SopheakMang
Building a reputation
‎Aug 4 2021 8:37 PM
‎Aug 4 2021 8:37 PM

VPN Tunnel down after we swap to new ISP

HI Experts , 

 

we have DC MX450 at DC as VPN Concentrator and spoke at remote location VPN via internet.

 

at DC we have 2 internet ISP links. (VPN establish via ISP1)

Everything working fine , until we disconnect ISP1 then upstream device swap to ISP2. then tunnel down.

Everything abt Meraki MX450 at DC work fine , even access to cloud , but vpn to spoke at remote Branch not up.

 

until i reboot the MX450 at DC , when it up back , the tunnel up , so we have to reboot everytime the ISP change.

seem MX450 not refresh its previous public ip. Do you have any idea on this ?

is there sth wrong at the backend ?

pls help , we use auto VPN

Labels:
0 Kudos
4 Replies 4
Bettencourt
Meraki Employee
Meraki Employee
‎Aug 8 2021 2:36 AM
‎Aug 8 2021 2:36 AM

Ensure no traffic is being blocked towards the Cisco Meraki VPN Registries, you can find a complete list of IP addresses that must be reachable at all times for your dashboard to operate at its best, this list is on the top right of your dashboard under the menu Help > FIREWALL Info.

 

You can also go to your Security & SD-WAN > VPN status and check for any error messages, NAT unfriendly, or Connectivity issues to the VPN Registries.

 

If everything above looks good, and all checks have been made, you should then contact Cisco Meraki support with your findings and you will get all the assistance you need.

 

0 Kudos
In response to Bettencourt
Bruce
Kind of a big deal
‎Aug 8 2021 2:55 AM
‎Aug 8 2021 2:55 AM

@SopheakMang, adding to what @Bettencourt stated, when your traffic is using ISP1 the MX450 is registering to the Meraki VPN Registry with the public IP address on ISP1, and using this IP address to build all the VPN tunnels. When you failover to ISP2 the MX450 first has to register its new IP address with the VPN Registry, then this gets sent to all the branch sites so the VPN tunnels can all get rebuilt on the new IP address. This really shouldn’t take long, but it’s not instant.

 

As @Bettencourt said, make sure all the firewall ports are open as required and see if there are any VPN Registry errors on the AutoVPN page - or and VPN failure events in the Event Log. If all is looking good you’ll need to open a support case as they’ll need to troubleshoot what’s going on with the VPN Registry and why the tunnels aren’t forming.

0 Kudos
In response to Bruce
cmr
Kind of a big deal
Kind of a big deal
‎Aug 8 2021 9:38 AM
‎Aug 8 2021 9:38 AM

@SopheakMang any chance that you can terminate the two ISPs on the MX, perhaps alongside the existing device, as opposed to behind it?  Then both IPs would be registered all the time.

 

You'll need each ISP to give you at least a /29 which may or may not be easy, depending on where you are in the world.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to Bruce
SopheakMang
Building a reputation
‎Aug 8 2021 10:34 AM
‎Aug 8 2021 10:34 AM

HI all bro @Bruce @cmr @Bettencourt 

 

Thanks for the comment  , The MX450 at DC , we just use Router for upstream , 

no firewall block. Internet direct to Router , then route to Meraki MX450.

 

like i mention , Meraki MX450 doing vpn concentrator , we only can use only 1 wan , can't use 2 wan like Nat mode.

so i'm not sure this could cause the problem.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.