Security Appliance High Availability Configuration
High Availability with More Than Two Physical WAN Uplinks
Although only two active uplinks are supported at a time on an active/primary MX, additional uplinks should be utilized for tertiary failover on the secondary MX. One or two additional uplinks may be utilized on the secondary MX, and will become active when all uplinks on the primary MX fail or when a hardware failure occurs on the primary MX. These additional uplinks connected to the secondary MX can be part of a different IP subnet than the uplinks on the primary MX.
Troubleshooting Routed Warm Spare
If there is a problem with the routed HA configuration, there may be various symptoms that will affect the network, and it may not be obvious that the root cause is routed HA. This section outlines what issues with HA typically look like, as well as recommended troubleshooting steps.
Dual Active Issue
The most common sign of a problem with routed HA is a dual active scenario where both the primary and spare MX report in the dashboard as being active. This can be observed in the dashboard under Security & SD-WAN > Monitor > Appliance status and by comparing the current state of each appliance.
This will occur if the primary MX is online and sending heartbeats that aren't seen by the spare, resulting in the spare thinking that the primary is down. If both the primary and spare are in the active state, this will cause various issues with the network, affecting DHCP, routing, VPN, etc.
Recommended Troubleshooting Steps
If network issues are occurring that appear to be related to routed HA, the following troubleshooting steps should be taken to identify the root cause:
- Check both appliances in the dashboard (under Security & SD-WAN > Monitor > Appliance status) to check if there is a dual active scenario as outlined above.
- If both appliances are consistently reporting in the "active" state, check their LAN connection and make sure they can communicate with each other.
- If the spare MX is intermittently reporting as active while the primary remains online and active, check that both MXs can communicate with each other on all VLANs. Additionally, ensure there are no bad cables connecting the two devices or any other physical issue that could result in unreliable communication.
- In any case, it is strongly recommended to take a packet capture on the LAN side of each MX, to get a clear picture of where the VRRP heartbeats are being lost.
- If the HA pair is configured to use a virtual IP on the uplink, make sure that each pair of WAN connections (WAN 1 on each MX, for example) share the same broadcast domain so they can both be seen by the upstream device.
Related Articles
Appliance License Transfer
Goal There are many scenarios that may require the transfer of a license from one Meraki dashboard organization to another. Previously, moving Co-Termination license keys between organizations could only be performed by a member of the Meraki Support ...OS Client VPN Setup
Client VPN OS Configuration This article outlines instructions to configure a client VPN connection on commonly used operating systems. For more information about client VPN, please refer to our Client VPN Overvi documentation. For troubleshooting, ...QoS Implementation for MS Teams Voice
Quality of Service (QoS) in Microsoft Teams allows real-time network traffic that's sensitive to network delays (for example, voice or video streams) to "cut in line" in front of traffic that's less sensitive (like downloading a new app, where an ...ESXi Windows Server Boot Error
After February 2023 Windows update, KB5022842, a reboot of the VM results in the following boot error. Uninstalling this windows patch WILL NOT resolve this error. VMware has posted the following article in relation to this error; Virtual Machine ...Windows System Image Backup/Recovery
How to create a backup with system image tool on Windows 10 The system image tool allows you to create a full backup to an external drive or network shared folder. However, it is best to use removable storage, which you can then disconnect and store ...