Failover to VPN Gateway instance 1 does not work

[yujiterada]

Failover to VPN Gateway instance 1 by automatically swapping the tags does not work. This is pending a fix on the Meraki side.

Expected Behavior

When the MX cannot reach VPN Gateway instance 0, the script should swap the tags of the network so the MX will initiate a tunnel to VPN Gateway instance 1. As an example, let's say the tags are vwan-hub-west-1 and vwan-hub-west-1-sec, and vwan-hub-west-1 is configured on network-A. If network-A loses its connectivity to VPN Gateway instance 0, then the tag on network-A should be swapped to vwan-hub-west-1-sec.

Current Behavior

Doesn't take care of VPN tunnel failures and clings on to VPN Gateway instance 0.

Possible Solution

Wait for Meraki to update getOrganizationApplianceVpnStatuses endpoint for it to return the reachability status for thirdPartyVpnPeers.

[MitchellGulledge]

Engineering is currently wrapping up the backend work to support tracking third party VPN status. Expected timeline is end of Sept/early Oct for the merge. The state of the tunnel will account for the successful exchange of ISAKMP over the tunnel. Since it is only one active tunnel per destination there is less of a concern for tracking individual SAs on the data plane.

[MitchellGulledge]

The endpoint has been updated with the necessary information for third party VPN reachability. Will work on a working PoC and throw the code here. Unless someone wants to try and beat me to it :)

[MitchellGulledge]

Here is my attempt at this:

https://github.com/MitchellGulledge/MX-Third-Party-Failover/blob/master/failover.py

Would love some validation that this works as well. (Just configure tunnels that are down)

[MitchellGulledge]

The new version of the API allows us to solve this with the VPN statuses endpoint from Meraki. Closing this issue out