Home > Security Appliances > Other Topics > Warm Spare

Warm Spare

This page describes how to set up a High availability (HA) pair using the VRRP protocol between two MX Security Appliances in either one-arm Concentrator mode or NAT mode, as well as the expected behavior of configured HA pairs. High availability can be used to minimize downtime in the event of a hardware failure.

Only one license is required for an HA pair. The warm spare unit does not require a license. Alerts for Warm spare failover can be configured on the Alerts and Administration page.

VPN Concentrator warm spare

Concentrator warm spare is used to provide high availability for a Meraki AutoVPN head-end appliance.

Network setup

Each concentrator has its own IP address to exchange management traffic with the Meraki Cloud Controller. However, the concentrators also share a virtual IP address that is used for non-management communication.

Connecting the MXes in a “one-armed” VPN concentrator pair

Before deploying MXes as one-arm VPN concentrators, place them into Passthrough or VPN Concentrator mode on the Addressing and VLANs page. In one-armed VPN concentrator mode, the units in the pair are connected to the network only via their respective Internet ports. Make sure they are not connected directly via their LAN ports. They must be within the same IP subnet and able to communicate with each other, as well as with the Cisco Meraki Dashboard. Only VPN traffic is routed to the MX, and both ingress and egress packets are sent through the same interface.

Virtual IP

The virtual IP address (VIP) is shared by both the primary and warm spare VPN concentrator. VPN traffic is sent to the VIP rather than the physical IP addresses of the individual concentrators. The virtual IP is configured by navigating to Security appliance > Appliance status when a warm spare is configured. It must be in the same subnet as the IP addresses of both appliances, and it must be unique. In particular, it cannot be the same as either the primary or warm spare's IP address.

Failure detection

The two concentrators share health information over the network via the VRRP protocol. Failure detection does not depend on connectivity to the Internet / Meraki dashboard.

In the event that the primary unit fails, the warm spare will assume the primary role until the original primary is back online. When the primary VPN concentrator is back online and the spare begins receiving VRRP heartbeats again, the warm spare concentrator will relinquish the active role back to the primary concentrator.

The total time for failure detection, failover to the warm spare concentrator, and ability to start processing VPN packets is typically less than 30 seconds.

NAT Warm Spare

NAT Warm Spare is used to provide redundancy for internet connectivity and appliance services when an MX Security Appliance is being used as a NAT gateway.

Network setup

Connecting the MXes in a NAT mode pair

In NAT mode, the units in the pair are connected to the ISP or ISPs via their respective Internet ports, and to the internal network via the LAN ports.

WAN configuration: Each appliance must have its own IP address to exchange management traffic with the Meraki Cloud Controller. If the primary appliance is using a secondary uplink, the secondary uplink should also be in place on the warm spare. A shared virtual IP, while not required, will significantly reduce the impact of a failover on clients whose traffic is passing through the appliance. Virtual IPs can be configured for both uplinks.

LAN configuration: LAN IP addresses are configured based on the Appliance IPs in any configured VLANs. No virtual IPs are required on the LAN.

Instructions on setting up Warm Spare in NAT mode can be found in this article.

WAN Virtual IPs

Virtual IP addresses (VIPs) are shared by both the primary and warm spare appliance. Inbound and outbound traffic uses this address to maintain the same IP address during a failover and reduce disruption. The virtual IPs are configured on the Security Appliance > Monitor > Appliance status page, under the Warm Spare section in the upper-left corner of the page. If two uplinks are configured, a VIP can be configured for each uplink. Each VIP must be in the same subnet as the IP addresses of both appliances for the uplink it is configured for, and it must be unique. In particular, it cannot be the same as either the primary or warm spare's IP address.

Failure detection

There are two failure detection methods for NAT mode warm spare. Failure detection does not depend on connectivity to the Internet / Meraki dashboard.

WAN Failover: WAN monitoring is performed using the same internet connectivity tests that are used for uplink failover. For more data on these checks, see the Cisco Meraki Knowledge Base. If the primary appliance does not have a valid internet connection based on these tests, it will stop sending VRRP heartbeats which will result in a failover. When uplink connectivity on the original primary appliance is restored and the warm spare begins receiving VRRP heartbeats again, it will relinquish the active role back to the primary appliance.

LAN Failover: The two appliances share health information over the network via the VRRP protocol. These VRRP heartbeats occur at layer 2 and are performed on all configured VLANs. If no advertisements reach the spare on any VLAN, it will trigger a failover. When the warm spare begins receiving VRRP heartbeats again, it will relinquish the active role back to the primary appliance.

DHCP Synchronization

The MXes in a NAT mode high availability pair exchange DHCP state information over the LAN. This prevents a DHCP IP address from being handed out to a client after a failover if it has already been assigned to another client prior to the failover.

You must to post a comment.
Last modified
09:03, 5 Sep 2017

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community