Secure Client will ALWAYS attempt a TLS connection first.  Once the TLS connection is up it will then concurrently attempt to form a DTLS connection and change over.  If the DTLS connection fails, it will stay using the TLS connection. This way the user is guaranteed to get a client VPN connection.   The questoin is then - what is causing the DTLS connection to fail.  What kind of CPE are you connection from behind of?  Have you checked them for firmware updates?   What happens if you use a different internet connection, such as mobile? ... View more

On an MX65 that I used as a spoke on the corporate SD-WAN with split tunnelling, I got 100Mb/s throughput to the datacentre, but 250Mb/s to the internet.  Therefore I'd expect you'd get 300Mb/s over the VPN and 500Mb/s to the internet...  I can't test now as I have moved and only have an 80Mb/s connection... 🙄 ... View more

Hi,   A complete, seamless failover will work if and when you are using both the ISP connections on both the uplinks on the MX. The way MPLS to VPN failover works, there might be some cases where the configured pinger will be pingable but the actual connection is failed down the line.    When you are using both the ISP connections on the two uplinks on the MX, you will get granular control with Meraki SD-WAN policies to control which traffic should go where and the failover will be seamless.   Cheers!   Raj ... View more