After working with Cisco Meraki and Cisco TAC, we can confirm from multiple packet captures, that this is totally the case, and is a major problem in the Meraki software. We tested too, and it looks like when a "real" fail-over happens, the 1:1 NAT is handled correctly. When we do a switch of primary-spare initiated from the Meraki dashboard, the 1:1 NAT stays with the device which becomes inactive and it will not work properly. When the forced fail-over happens, the MX is sending its physical mac address to the ARP Table, not the virtual mac address, as it should when a "real" fail-over happens. This is confirmed and we have case numbers on both sides working with engineers.
... View more
