We have the following situation: We have many branch offices (300+) and have a service provider who provides support for certain devices in the branch offices. The service provider therefore has an IPSec tunnel (non-Meraki VPN) to our HQ. From here, the connection to the branch offices is established with AutoVPN to the MX there.
In order to have a good connection to the Internet, we have rented 2 fiber optic lines with a speed of 500 MBit (ISP1) and 300 MBit (ISP2).
Unfortunately, this only works if load balancing is deactivated. The IPSec tunnel can be set up with load balancing. After a few seconds, the WAN connection is changed again and again by the load balancing. This causes the connections to break again and again.
The problem seams only exists with the non Meraki VPN.
Our partner (Deutsche Telekom) who sets up the entire Meraki network has expressly pointed out to us that the load balancing function does not work properly with Meraki and that it only leads to problems.
Is this really true or do any of you have a similar setup?
Apart from that, it annoys me that we have two large MX250s in HQ for failover and now need one or two additional MX250s there for non Meraki VPN. According to the technicians, a connection from non Meraki VPN to the branch offices via our HQ is not possible. Therefore, additional hardware was installed for the IPsec and then a static route was stored to get through the AutoVPN to the branch offices.
Very unusual and expensive only for the 5 minutes of support we need once a week.
Best regards,
Ronny
How did you configure the cost for each of the WANs?
In fact, there are applications that do not behave well when load balancing is used (independent of vendor).
In your case it may just be a matter of configuration adjustments, but it may also be that in your scenario the balancing will not work.
I suggest you open a support case.
If i understand correctly you building a tunnel from a lan device to a sp through your mx?
Maybe it works better if you add the tunnel destination to the flow pref to go out wan1 or wan2
Hello ww. I have tried to paint a picture of the network to show the VPN issue a little better.
That was the actual plan. However, it didn't work, so we installed an additional MX250 and a static route:
As mentioned by @ww , set the tunnel to use only 1 of the WANs.
On your scale, buy an MX67, add it to your AutoVPN, and send it to your service provider to install into their network (they can put it into a DMZ on the firewall). Tell them to treat it like a WAN router. They just add static route(s) for your network via that.
You would run the MX67 in VPN concentrator mode.
https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide
Your network is too big to be messing around with the approach of using a non-Meraki VPN.
>Very unusual and expensive only for the 5 minutes of support we need once a week.
Tell them to use client VPN.
Thank you very much for your answers. I will ask our service provider next week if one of the two options is possible.