So, for you, my way can be to use manual NAT traversal. But, when I try to activate this the dashboard, the public IP is required :     Because I have 2 ISPs, if we are in failover, an other public IP will be used. That's why I said the automatic NAT traversal seems to be the only way for me.     If I keep automatic and I manage a public IP white list? perhaps I can do an API request to receive all public IP found from my dashboard?   ... View more

Dear CN,     About the manuel NAT traversal, I can not implement this because there 2 ISPs with 2 differents public IP. When we select manuel NAT traversal we need to put a port and only one IP. So, in my case, automatic is the only way.     About incoming rule, I'm surprise about this. I read this in Meraki document :     Public IP assignment Placing an MX appliance configured as a one-armed VPN concentrator at the perimeter of the network with a publicly routable IP address is not recommended and can present security risks. As a best practice, one-armed concentrators MX appliances should always be deployed behind an edge firewall that filters inbound connections. https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide   Now, I read again this and I'm not sure about "that filters inbound connections" ? So you confirm, in my case, open incoming rules could be a solution? So it mean a rule where I will open all UDP port range 32768-61000 from all IPs?       ... View more

Dear CN   Put temporary manual NAT traversal in order to force all VPN to change ports can be an other work-around, but it still not an automatic fail-over.   In this case, why Meraki can not change source port used when a new public IP is discovered? (this could solve other behavior I saw too... because dynamic NAT behavior change a lot depend of routers models)   The intricacies on Palo side is the fact that because the source IP (Private VIP IP from the one armed concentrator) and the source port don't change on this fail-over, the Palo-Alto continu to work with the same session and continu to NAT of the old public IP. So all incoming packet coming from other MX on the new public IP are drop because there is no existing session on this criteria. Clear session or change source port will force to recreate these sessions. I continu to think this behavior is not normal on Palo side.   An other work-around I had in mind was to have an incoming rules to allow UDP flow to go to the VIP MX IP. But this kind of incoming rules looks not good in term of security and Meraki don't recommend this rule in this configuration. Do you think this could be a way?     Best regards, ... View more

Put the MX in parallel is not an option for me because I need to keep one-armed VPN concentrator due to EBGP used.   At this moment, I push a case on Palo-Alto side because I consider this is a bad behavior from Palo-alto. I keep you updated.   In any case, all proposition you can have will be more than welcome because I can't keep this no-automatic fail-over in a DC.   ... View more

Yesterday, I was with Palo-alto support. I propose this way, because it's possible to reduce UDP session timeout, default is 30sec. But from my analyze, to have this working, it mean 2 or 3 secondes and Palo-alto said this is not recommended to have very small value like that.     ... View more

Dear Jordan,     Thanks again. In my case, I use BGP and it's concentrator only....so.   Like you, I saw this behavior with other VPN tunnel, not only Meraki. I consider this problem is on Palo Alto side and I will push on this way.   I created this post about this problem : https://community.meraki.com/t5/Full-Stack-Network-Wide/Meraki-MX250-behind-Palo-Alto/m-p/97876#M1614 I will try to update my situation on that.     ... View more

Hi Jordan,     I note exactly the same :   "One thing to note is if you are using PBF rules on the Palo Alto for ISP fail over, I've found that the Palo Alto will not clear the Meraki IPsec sessions when failing to the backup ISP (or failing back to the primary). In order to get the Meraki VPN to fail over you have to either clear the Palo Alto IPsec sessions, or restart the Meraki to re-establish the IPsec tunnels."   I have the same problem and I try to find a solution because it mean fail-over is not automatique. I have case open with Palo-Alto :   Here explanation from Palo-Alto : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLlfCAG From my point of view this is not acceptable solution in the article.     Did you continu to deal with this today or did you find an other solution?     Regards, ... View more