PPP link btwn L3 switches and ASA5520 L2L tunnel advise

Unanswered Question
Apr 21st, 2010

Hello guys,

I have private PPP link between two sites connected to two L3 switches as routed port. Traffic between these two LANs is sailing smoothly via the PPP link bidirectional. I have also implemented IPSec VPN tunnel between the same two sites via the internet as backup in case the private link failed. In this case, the tunnel is working great.

When the PPP link restored on the L3 switch the LAN traffic continue to pass through the tunnel.

How do I configure the firewall or the switch to drop the IPSec tunnel when the PPP link restore?

The trick here is my internet ASA5520 firewall at both sites doesn’t know this route because it is part of the LAN. Can sla monitor and tracking with ACL will work? If so, any advice

Site A:

PPP link address on L3 switch

ASA outside inside

Site B:

PPP link address on L3 switch





I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Eric Boadu Wed, 04/21/2010 - 12:17

P, Thank you very much for your lead and already looked into that link.  My situation is bit different because both links are not physically connected to my firewall. I have one link from the firewall to ISP and other from the LAN switch to other location’s LAN switch. Just link trunking link but instead it is point-to-point with L3 subnet.

Thx, Eric

Eric Boadu Wed, 04/21/2010 - 13:32

Hey guys, I have tested various sla tracking solutions in my lab and finally got the best solution base on the design. I will advise later.



p.mcgowan Thu, 04/22/2010 - 01:21

Hi Eric,

you could try and configure SLA monitor on the lan switch so that it is tracking the remote LAN switch, if this fails then the SLA could then failover to the VPN link

Eric Boadu Thu, 04/22/2010 - 05:27

What about when the PPP link restores and how it will force the firewall to drop the tunnel and route inside traffic to the ppp link? I am continue to test various scenarios

Hi Eric,

You can set up reliable static route to track the SLA and set up the same route with higher metric through the ASA.

Once the ppp link goes down the higher metric static route kicks in and once comes back the original route will be valid again.

If your L3 switch has routing protocol capability you can use that as well combined with static route.

Another option is if your p2p link is transparent ethernet you can use udld to detect the link failure so normal floating static route can work well.

I have a similar setup and udld works well.

Let me know if any of the options needs clarification.

Hope it helps, rate if does


Eric Boadu Thu, 04/22/2010 - 12:43

Hi K,

Can you send me some example config please? I have tried almost any to no success. I will try your UDLD option



Eric Boadu Thu, 04/22/2010 - 20:03

Hello Guys,

After testing various config I came accross my old references that I used to design MPLS private link. This tracking SLA policy config works great on L3 switch! Make sure the port that will be use on L3 switch is set to routed port instead of trunking betwn two locations. Use L3 subnet to create PPP link.

ip route <ip route interface ethernet0/1 track 50 << to private PPP link

ip sla 1
ip sla monitor schedule 1 life forever start-time now
num 3
freq 10

access-list 101 permit icmp any host echo

route-map local permit 20
match ip address 101
set ip next-hop verify-availability 10 track 50

track 50 rtr 1 reachability
delay down 10 up 10

interface ethernet0/1
ip policy route-map local

Thank you all for your input and hope this help others. Please rate this



Hi Eric,

I just don't see the relevance of the PBR configured especially on the interface facing to the p2p link.

I think if you want to use PBR then would be better to configure on the port facing to your LAN and select the path based on the availability of next hop.

If your p2p goes down the static route should disappear from the routing table and the default route would kick in.

First I was thinking that your goal is to detect a stucked route due to up/up condition of the interface, but that is anyway done by the sla and removes the static route if no response received from

May be I was overlooking something.

Can you explain?




This Discussion