if you’re running warm spare without a Virtual IP (VIP), failover will work for outbound, but inbound and VPN traffic will behave differently:
What happens now without a VIP
- Auto VPN (Meraki2Meraki): Will automatically re-establish to the secondary’s public IP when failover happens. There’s a short outage during tunnel re-negotiation.
- Non-Meraki VPN peers: The remote side must be able to connect to both WAN IPs (primary and secondary). If it only dials the primary IP, failover will break the tunnel until you change it.
- Client VPN (RA VPN): The public endpoint changes to the secondary MX’s IP on failover. If users connect via the Meraki DDNS hostname, it updates automatically; if they use a fixed IP, they’ll need to switch to the secondary.
- DNAT/Port Forwards: Inbound traffic will only work to the active MX’s public IP. If your DNS still points to the primary IP after failover, inbound will fail until you update it.
Why??? Without a VIP, the active MX’s public IP changes during failover. Anything pointing to the old IP will stop working until you re-point it.
How to fix it If both MX uplinks are on the same ISP subnet:
- Go to Security & SD-WAN → Appliance Status → Uplink configuration.
- Enable Use virtual uplink IPs.
- Assign an unused public IP from the same /29 as the VIP.
- Update your DNS/VPN peers to point to the VIP.
This way, Auto VPN, Client VPN, and DNAT will all use the same IP before and after failover — no DNS changes needed.
If your uplinks are on different ISP subnets and you can’t use VIP:
- Use an FQDN for VPN and inbound services with a low TTL.
- Configure both MX public IPs on remote VPN peers.
- Automate DNS failover to the secondary IP when the primary is down.