Using my tunnel as a backup to the WAN

Unanswered Question
Aug 15th, 2007

we have a 10Mb Ethernet circuit between two offices. I would like to setup a site-to-site VPN over the Internet between both offices as well to be used as a backup to the Ethernet circuit. The tunnel configuration is not a problem but how do I make sure that the traffic uses goes over the tunnel in case of WAN disruption?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.4 (5 ratings)
Paolo Bevilacqua Wed, 08/15/2007 - 12:19

Hi, once you setup routing properly, you have floating static routes, or agains dynamic routing over VPN, so if the ethernet circuit goes down, traffic will be routed over the VPN.

Hope this helps, please rate post if it does!

sundar.palaniappan Wed, 08/15/2007 - 12:29

Build a GRE tunnel over the VPN connection. Configure a floating static route, route w/higher admin distance, to forward the traffic to the remote LAN via the tunnel next_hop address. If you aren't running a routing protocol over the existing 10mb ethernet connection then you may have to use this feature called 'static route using object tracking' to ensure the floating static route always works.



Richard Burts Wed, 08/15/2007 - 12:24


To give a good answer to your question we would need to know a few more things about your environment. In particular we need to understand your current routing setup. Do you use static routes? Do you run a dynamic routing protocol?

If you are running a dynamic routing protocol, would you plan to run the dynamic routing protocol over the VPN tunnel?

Running a dynamic routing protocol over both the normal Ethernet connection and the VPN tunnel would probably be easiest. You would simply make sure that the metric for the path over the Ethernet was more attractive than the path over the VPN tunnel.

It could also work with dynamic routing over the Ethernet and a floating static route to send traffic to the other site over the VPN tunnel. The advantage here is that the dynamic routing protocol would detect loss of connectivity over the Ethernet and converge which would allow the floating static route to be used.

If you are not running a dynamic routing protocol then you would need a primary static route and a floating static route for backup. The issue with this approach is that over the Ethernet you could lose connectivity but the static route usig the Ethernet would still be in the routing table. There is a feature of reliable static routes with object tracking which could help deal with this issue.

Let us know more about your situation and we may be able to provide better advice.



Tshi M Wed, 08/15/2007 - 13:01

Yes we are running EIGRP over the Ethernet. However, the VPN will be set using PIX firewalls (ASA 5520 and a PIX 506).

I guess I can use the following static route for the firewall

ip route 112

Paolo Bevilacqua Wed, 08/15/2007 - 13:06

Yes, that is what is called a floating static route. Now for reasons of "number niceness" people likes to use 200 as administrative distance value, but 112 will work as well.

sundar.palaniappan Wed, 08/15/2007 - 13:26

I would suggest you use 200 as the admin distance for floating static route. Admin distance of External EIGRP is 170 and in case you are redistributing the connected LAN network into EIGRP then you would have problems with 112.



Paolo Bevilacqua Wed, 08/15/2007 - 13:39

Correct, so in fact is not just for number "number niceness" that we use 200 all the time :)

guruprasadr Wed, 08/15/2007 - 21:29


I agree to all the above comments.

Recommendations to use "200" as Administrative Distance for the second floating static routes.

In several environments i see only 200 is used for the second static route ie., Backup route.


Best Regards,

Guru Prasad R

Paolo Bevilacqua Thu, 08/16/2007 - 07:33

No these will not go over IPsec. For this reason if you want dynamic routing over IPsec, the best way is to setup a GRE tunnel. This not only will allow routing updates, but also crossing of any source and destination traffic without additional configuration of crypto maps.

mbroberson1 Fri, 08/17/2007 - 10:52

I would highly recommend setting up DMVPN connection to the remote site as a backup for when the ehternet circuit is down. In the setup you can configure your (ip nhrp holdtime 300) nhrp holdtime to something like 300 seconds. If you are using EIGRP place a low bandwidth on the tunnel interface to give precedence to the much faster ethernet circuit.

Tshi M Fri, 08/17/2007 - 11:15

I should of pointed out that the site-to-site VPN is using an ASA5520 and a PIX 506E.

Paolo Bevilacqua Fri, 08/17/2007 - 11:21

That's OK, you can still configure GRE tunnel in the routers and they will 'talk' eigrp over it - no ugly static routes necessary.


This Discussion