Site to Site VPN as a backup

Answered Question
Apr 13th, 2010
User Badges:

Was wondering if anyone has any suggestions for a configuration I am trying to get going.

What I have is a Colo Data Center that is connected back to multiple sites via MPLS.  Internet access is through the Colo for all sites. In case of a failure of the MPLS I am trying get an automated VPN to come up that would connect from an Adtran router with with a Verizon Wireless Card in it.  I have the VPN up and that works.  It is the automation piece that I am trying to figure out.  So, currently the Pix has static routes that point everything towards the MPLS router for all of the sites.  Everything else uses the MPLS router as a DGW and then the DGW for the MPLS is the Pix.

If there is a failure the VPN will come up but then there are the routes on the Pix that will just push everything back towards the MPLS.  The provider is saying to put higher metric routes for the statics back to the MPLS but higher than what?  When the VPN comes up there aren't really any routes there to push the traffic across the VPN.

The thought I had was that since the managed MPLS router at the colo is a Cisco router to have the provider redistribute the BGP routes back out to EIGRP which the Pix could pick up.  In the case of a failure once EIGRP was updated there would be no route towards the MPLS and everything would just route out the DGW which would be the Pix.

Anyone dones anything like this before that might have some ideas?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
mwkirk Fri, 04/16/2010 - 07:30
User Badges:

Thanks for responding.  The static routes point back into an MPLS net.  There is one of the MPLS sites that we want to install a router (Adtran) with a Verizon EVDO card installed that will be for a backup link.  So, if the MPLS goes down then the backup router link will come up and make a VPN connection to the firewall.

Here is a quick diagram I threw together.  Hopefully, this doesn't confuse things more:

Thanks for the diagram, but now a can of worms has been opended!!

When you say "So, if the MPLS goes down" do you mean JUST the mpls link to the PIX firewall???

What if the mpls link from the PIX firewall & the mpls link sot site A also goes down....How do sites

B & C continue to work? and have access to the internet?

mwkirk Fri, 04/16/2010 - 08:02
User Badges:

Right now we are specifically looking at doing the backup for Site A.  It might extend to other sites at a later date but Site A has had some issues with the MPLS connection going down.  So for now we are specifically looking to protect against a failure of the link to the MPLS at Site A.

I can get the VPN up and running but my issue is how to handle the routing at the firewall.  If I have static routes in there to point the Site A addresses towards the MPLS then when the VPN comes up in case of a failure it will still try to push the traffic towards the MPLS which will now be down.

Correct Answer

A simple delay sensitive solution will be IP SLA in the PIX/ASA.  When the MPLS interface of SiteA is unreachable,

a static route in the PIX/ASA pointing into the VPN tunnel becomes active.  When the MPLS interface is available again,

then the route is removed.



mwkirk Mon, 04/19/2010 - 11:25
User Badges:

That's pretty slick....I think that could work.


This Discussion