Meraki

Community

load balancing, autovpn and non-meraki vpn

NetC
Conversationalist
‎Mar 6 2024 12:27 PM
‎Mar 6 2024 12:27 PM

load balancing, autovpn and non-meraki vpn

We have the following situation: We have many branch offices (300+) and have a service provider who provides support for certain devices in the branch offices. The service provider therefore has an IPSec tunnel (non-Meraki VPN) to our HQ. From here, the connection to the branch offices is established with AutoVPN to the MX there.

In order to have a good connection to the Internet, we have rented 2 fiber optic lines with a speed of 500 MBit (ISP1) and 300 MBit (ISP2).

 

Unfortunately, this only works if load balancing is deactivated. The IPSec tunnel can be set up with load balancing. After a few seconds, the WAN connection is changed again and again by the load balancing. This causes the connections to break again and again.


The problem seams only exists with the non Meraki VPN.

 

Our partner (Deutsche Telekom) who sets up the entire Meraki network has expressly pointed out to us that the load balancing function does not work properly with Meraki and that it only leads to problems.

 

Is this really true or do any of you have a similar setup?

 

Apart from that, it annoys me that we have two large MX250s in HQ for failover and now need one or two additional MX250s there for non Meraki VPN. According to the technicians, a connection from non Meraki VPN to the branch offices via our HQ is not possible. Therefore, additional hardware was installed for the IPsec and then a static route was stored to get through the AutoVPN to the branch offices.


Very unusual and expensive only for the 5 minutes of support we need once a week.

 

Best regards,

Ronny

Labels:
0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 6 2024 1:58 PM
‎Mar 6 2024 1:58 PM

How did you configure the cost for each of the WANs?

 

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

 

In fact, there are applications that do not behave well when load balancing is used (independent of vendor).

 

In your case it may just be a matter of configuration adjustments, but it may also be that in your scenario the balancing will not work.

 

I suggest you open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
ww
Kind of a big deal
Kind of a big deal
‎Mar 6 2024 2:14 PM
‎Mar 6 2024 2:14 PM

If i understand correctly you building a tunnel from a lan device to a sp through your mx?  

Maybe it works better if you add the tunnel destination to the flow pref to go out wan1 or wan2

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/MX_Load_Balancing_and_Flow_Preferen...

0 Kudos
In response to ww
NetC
Conversationalist
‎Mar 7 2024 6:02 AM
‎Mar 7 2024 6:02 AM

Hello ww. I have tried to paint a picture of the network to show the VPN issue a little better.

 

NetC_0-1709820016820.png

 

That was the actual plan. However, it didn't work, so we installed an additional MX250 and a static route:

 

NetC_1-1709820251513.png

 

 

 

0 Kudos
In response to NetC
alemabrahao
Kind of a big deal
Kind of a big deal
‎Mar 7 2024 6:04 AM
‎Mar 7 2024 6:04 AM

As mentioned by @ww , set the tunnel to use only 1 of the WANs.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 7 2024 11:55 AM
‎Mar 7 2024 11:55 AM

On your scale, buy an MX67, add it to your AutoVPN, and send it to your service provider to install into their network (they can put it into a DMZ on the firewall).  Tell them to treat it like a WAN router.  They just add static route(s) for your network via that.

You would run the MX67 in VPN concentrator mode.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide 

 

Your network is too big to be messing around with the approach of using a non-Meraki VPN.

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 7 2024 11:56 AM
‎Mar 7 2024 11:56 AM

>Very unusual and expensive only for the 5 minutes of support we need once a week.

 

Tell them to use client VPN.

0 Kudos
NetC
Conversationalist
‎Mar 9 2024 12:34 PM
‎Mar 9 2024 12:34 PM

Thank you very much for your answers. I will ask our service provider next week if one of the two options is possible.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.