Skip to main content

 

Cisco Meraki Documentation

Primary and Secondary IPsec VPN Tunnels

Overview

Primary and secondary IPsec tunnels can be created to provide redundant connectivity to a remote peer. Use cases include SASE, SSE, SWG, FWaaS, etc.

Diagram showing IPsec tunnels between an MX with two WAN connections and a primary and secondary SSE Hub. Primary and standby tunnels are built over WAN 1. Failover happens between tunnels on WAN 1. Tunnels over WAN 2 get established after WAN 1 uplink fails.

Prerequisites

  • IKEv2 setting

  • MX 19.1.4 or newer release

  • MX platforms that support MX 19.1.4 firmware and above

Tunnel monitoring

To enable failover between primary and secondary tunnels, tunnel monitoring is required. Tunnel monitoring with Layer 7 health check (HTTP probes) enables tracking of Primary and Secondary IPsec tunnels to determine Layer 3 & 7 connectivity over both tunnels. Meraki Secure SD-WAN uses the health check monitoring data to determine when to automatically failover to the Secondary tunnel.

Layer 7 health check is not supported on dynamic routed BGP enabled tunnels. Tunnel monitoring with Layer 7 health check is only supported with static routed tunnels.

Configure Layer 7 Health Checks

Click on the Configure health check button as shown in the following image to start the process.

Picture of the non-Meraki peers section of the Site-to-site VPN settings page showing the "Configure health check" button.


Next, configure a health check name and endpoint. Meraki Secure SD-WAN will probe the configured endpoint to track connectivity over the tunnel. The endpoint hostname will be resolved over the local WAN uplink with the DNS server IP configured on the WAN interface.

Picture of the "Configure health checks" window. Configure your health checks for tunnel health. Health check will use the IP/hostname defined under "endpoint" for probing when the MX is in passthrough mode. Only one health check per tunnel can be used.

Next, apply the Health check to a tunnel. Navigate to the tunnel you want to monitor or create a new IPsec peer.

If you already have an IPsec peer configured, click on the dotted menu next to the configured peer, and click on edit. On the side drawer under Tunnel monitoring, select the configured health check from the Health check drop-down and save. This will apply the health check to the tunnel.

Tunnel monitoring with Layer 7 health check must be configured to enable tunnel monitoring and failover to the Secondary tunnel. 

After clicking the dotted menu of the IPSec peer, an "Edit" option will appear.Picture showing the "Tunnel monitoring" option when editing an IPsec peer. "Default SLA" is selected as the Health check for this IPsec Peer.

  • The configured Layer 7 health check and failover to direct internet will be inherited by the secondary tunnel once configured
  • Only one Layer 7 health check can be applied to a tunnel pair (Primary & Secondary)

The Enable failover to DIA (Direct Internet Access) allows you to control failover behavior if both primary and secondary tunnels are down, or marked failed by tunnel monitoring.

Failover to DIA is turned off by default, which means when the tunnel fails, traffic will not failover to the Internet uplink. However if the failover to DIA option is enabled, traffic will be rerouted to the local uplink.

  • Please note that failover to DIA only works when both primary and secondary tunnels are marked as failed or are both down
  • Failover to DIA does not work between Primary tunnel and DIA. A secondary tunnel must be configured

Once tunnel monitoring has been set up, you can now add a Secondary tunnel.

Creating a Secondary Tunnel

Secondary tunnels can be enabled to provide redundancy if the primary tunnel fails.

To create a Secondary tunnel, navigate to the Primary tunnel you want to create a secondary tunnel for, and click on the dotted  menu to right of the peer, and click on Add option under Secondary. This will open a dedicated side drawer for the Secondary peer.

Picture showing the "Add" option to add a secondary peer.

  • Secondary tunnels are not supported on BGP over IPsec peers. If you have BGP enabled on your primary peer, you will not see the (Primary/Secondary) option
  • Secondary tunnels can only be configured if a health check has been set on the Primary tunnel

Configuring a secondary peer is the same as configuring a primary one. The inherit primary peer configuration makes it easy to inherit primary settings and minimizes error during configuration. IKE version, routing, private subnets and availability will be automatically inherited from the primary and set to read-only.

Picture showing the "Add secondary VPN peer" configuration window that appears after clicking on the "Add" option under "Secondary". The "Inherit primary peer configurations" button at the top of the page can be used to automatically populate the configuration fields.

Tunnel failover criteria

Failover between primary and secondary tunnel occurs when:

  • Tunnel is up (IPsec is established) but the health check probes fail.

  • Tunnel is down.
     

MX periodically applies the following policy based on the latest probe data:

  1. If the primary tunnel is up, MX picks it.

  2. If the primary tunnel is down, and the secondary tunnel is up, MX picks the secondary.

  3. If the both primary and secondary tunnels are down, MX picks direct internet access if enabled.
     

Up” means that the most recent probe has succeeded (returned a 1xx, 2xx or 3xx status code).

Down” means that the most recent probe has failed (ICMP unreachable, TCP reset, HTTP 4xx/5xx code or similar) or timed out (packets lost) after 10 seconds.

The delay could be longer from an end user experience perspective as the end user’s device (laptop/smartphone) may take time to reestablish connections after we have completed the failover/failback.

Failover Timers

Probe interval - 10 secs
Failover time - between 1 - 30 secs

Probe interval and failover time is not configurable at this time.

Probe IP

Tunnel monitoring probes are sourced from 192.0.2.3/32 by default for both primary and secondary tunnels. The Probe IP cannot be configured via Dashboard at this time. The ability to customize your probe IP via Dashboard will be available when the 19.x firmware becomes GA.

VPN Tunnel and Health Check Status 

Navigate to Security & SD-WAN > VPN Status – IPsec VPN tab.

Here you can see the status of the IPsec tunnel.

VPN status indicator

Meaning

Green 

Phase 1 and phase 2 are up

Amber

Phase 1 is up but phase 2 is down 

Red

Phase 1 and phase 2 are both down

Health check status is currently logged in the event log. An event type category is not yet available for health check logs, a category will be available before 19.x goes GA.

Troubleshooting

  1. IPsec tunnel status - Check if IPsec tunnel is up.

  2. Health check status - Check if health check probes are successful.

  3. DNS resolution failure - Check if endpoint is resolvable with WAN uplink DNS, try generic endpoint.

  4. Remote peer issue - Troubleshoot IPsec tunnel.