This page describes how to set up a High availability (HA) pair using the VRRP protocol between two MX Security Appliances in either one-arm Concentrator mode or NAT mode, as well as the expected behavior of configured HA pairs. High availability can be used to minimize downtime in the event of a hardware failure.
Only one license is required for an HA pair. The warm spare unit does not require a license. Alerts for Warm spare failover can be configured on the Alerts and Administration page.
VPN Concentrator warm spare
Concentrator warm spare is used to provide high availability for a Meraki AutoVPN head-end appliance.
Each concentrator has its own IP address to exchange management traffic with the Meraki Cloud Controller. However, the concentrators also share a virtual IP address that is used for non-management communication.
Connecting the MXes in a “one-armed” VPN concentrator pair
Before deploying MXes as one-arm VPN concentrators, place them into Passthrough or VPN Concentrator mode on the Addressing and VLANs page. In one-armed VPN concentrator mode, the units in the pair are connected to the network only via their respective Internet ports. Make sure they are not connected directly via their LAN ports. They must be within the same IP subnet and able to communicate with each other, as well as with the Cisco Meraki Dashboard. Only VPN traffic is routed to the MX, and both ingress and egress packets are sent through the same interface.
The virtual IP address (VIP) is shared by both the primary and warm spare VPN concentrator. VPN traffic is sent to the VIP rather than the physical IP addresses of the individual concentrators. The virtual IP is configured on the Addressing and VLANs page under the Warm Spare section. It must be in the same subnet as the IP addresses of both appliances, and it must be unique. In particular, it cannot be the same as either the primary or warm spare's IP address.
The two concentrators share health information over the network via the VRRP protocol. Failure detection does not depend on connectivity to the Internet / Meraki dashboard.
In the event that the primary unit fails, the warm spare will assume the primary role until the original primary is back online. When the primary VPN concentrator is back online and the spare begins receiving VRRP heartbeats again, the warm spare concentrator will relinquish the active role back to the primary concentrator.
The total time for failure detection, failover to the warm spare concentrator, and ability to start processing VPN packets is typically less than 30 seconds.
NAT Warm Spare
NAT Warm Spare is used to provide redundancy for internet connectivity and appliance services when an MX Security Appliance is being used as a NAT gateway.
Connecting the MXes in a NAT mode pair
In NAT mode, the units in the pair are connected to the ISP or ISPs via their respective Internet ports, and to the internal network via the LAN ports.
WAN configuration: Each appliance must have its own IP address to exchange management traffic with the Meraki Cloud Controller. If the primary appliance is using a secondary uplink, the secondary uplink should also be in place on the warm spare. A shared virtual IP, while not required, will significantly reduce the impact of a failover on clients whose traffic is passing through the appliance. Virtual IPs can be configured for both uplinks.
LAN configuration: LAN IP addresses are configured based on the Appliance IPs in any configured VLANs. No virtual IPs are required on the LAN.
WAN Virtual IPs
Virtual IP addresses (VIPs) are shared by both the primary and warm spare appliance. Inbound and outbound traffic uses this address to maintain the same IP address during a failover and reduce disruption. The virtual IPs are configured on the Addressing and VLANs page under the Warm Spare section. If two uplinks are configured, a VIP can be configured for each uplink. Each VIP must be in the same subnet as the IP addresses of both appliances for the uplink it is configured for, and it must be unique. In particular, it cannot be the same as either the primary or warm spare's IP address.
There are two failure detection methods for NAT mode warm spare. Failure detection does not depend on connectivity to the Internet / Meraki dashboard.
WAN Failover: WAN monitoring is performed using the same internet connectivity tests that are used for uplink failover. For more data on these checks, see the Cisco Meraki Knowledge Base. If the primary appliance does not have a valid internet connection based on these tests, it will stop sending VRRP heartbeats which will result in a failover. When uplink connectivity on the original primary appliance is restored and the warm spare begins receiving VRRP heartbeats again, it will relinquish the active role back to the primary appliance.
LAN Failover: The two appliances share health information over the network via the VRRP protocol. These VRRP heartbeats occur at layer 2 and are performed on all configured VLANs. If no advertisements reach the spare on any VLAN, it will trigger a failover. When the warm spare begins receiving VRRP heartbeats again, it will relinquish the active role back to the primary appliance.
The MXes in a NAT mode high availability pair exchange DHCP state information over the LAN. This prevents a DHCP IP address from being handed out to a client after a failover if it has already been assigned to another client prior to the failover.