Failover between leased line and the VPN.

Unanswered Question
Aug 27th, 2007


I have a scenario in which I have two different sites and two different links between them. The primary link is a leased line and secondary link is through the VPN using the internet.

I want to condifure the VPN as the failover for the LL. Can any one suggest me a solution for this problem. This has to happen from both the sites.

Thanks and regars,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
srue Mon, 08/27/2007 - 05:16

whats the physical layout? how many devices at each end? are they firewalls? routers?

sathyahemanth Mon, 08/27/2007 - 21:25


I have ASA at the HO and a router at the branch. Both the sites are connected to the internet separetly and have a leased line between them.

This same scenario will grow further, with many branches trying to connect to the HO using VPN. The leased line will be replaced by the MPLS.

When ever the MPLS spoke connection fails, the respective branch has to use the VPN to reach the HO.



jerrytozhang Tue, 08/28/2007 - 06:06

you can use floating static route to do this job, if you have only one router in your branch, and just run static route on it.

add the following commands into your branch router.

ip route a.b.c.d

ip route e.f.g.h 200

a.b.c.d is your LL connection next hop,

e.f.g.h is your internet connection next hop.

200 is the administrative distance.

sathyahemanth Tue, 08/28/2007 - 20:30

Hi Jerry,

The problem is that routed traffic uses the routes and the VPN uses the ACL. I am not sure how to give more priority to routed traffic and less priority to the VPN traffic.



jerrytozhang Wed, 08/29/2007 - 06:30

All the traffic has to go through the routing table, and then be forwarded to outside, whatever VPN traffic or not.

In my suggestion, all the traffic will take first default static route(go through your LL) to go outside primarily in normal condition. In case your LL down, then all the traffic will take the second static route (VPN connection) to go outside, because the second static default route has a lower priority than the first one.

Hopefully it can help you.


This Discussion