What will be the preference rules or failover condition to detect ISP failover at Edge device level.

Comes here often

What will be the preference rules or failover condition to detect ISP failover at Edge device level.

Hello, Please find below updated topology with able to register cloud successfully with two different public IP address by doing translation at Edge firewall. However, the problem is how to detect ISP failover occur at Edge firewall level so accordingly, it will trigger the failover at Meraki WAN interface.




As per the above diagram,  LAN ports are in VLAN 400 and subnet 10.20.30.x/24


WAN1 Port is in VLAN 200 and subnet  translate with ISP 1 public IP address.

WAN2 Port is in VLAN 300 and subnet translate with ISP 2 public IP address.

Switch 1 and 2 are layer 2 switch and connected to each other via the port channel in trunk mode.

Same Edge Firewalls are connected to switches via the port channel and define Meraki next hop IP addresses on the firewall.


 Now, Meraki registered with cloud successfully with two ISP public IP address. Also, these two public IP will form Auto VPN tunnel with other branch Meraki devices. Currently, we have set WAN 1 as a preference due to ISP 1 is the primary path at Edge firewall. However, the problem is to detect ISP failover at Edge firewall level in order to shift the connection from WAN1 to WAN 2 and Vice and Versa.


Below two IP address configured for uplink statistics.

1) Google DNS (

2)  ISP 1 Next-hop IP address.


Please let me know your inputs, as per my understanding I have to check at Edge firewall PBF rules to trigger Meraki failover when ISP failover at Edge firewall.






2 Replies 2
Kind of a big deal
Kind of a big deal

This document covers the WAN failover.


You wont need to do anything extra.


If you are only concerned about AutoVPN failover then define a performance class and set the maximum packet loss to something like 1%.  This guide shows the process for web traffic.  In your case, just make it all traffic.


Comes here often



Yes, Need to test..It should work as defined separate NAT rules for separate WAN connection.


Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.