ASA static route and VPN

Unanswered Question
May 12th, 2010

Hi All,

there are two sites connected by MPLS. all the internet traffic from each site going through ASA which is connected to the internet directly. ASA has static  route  to other site through MPLS. I need to configure VPN site to site, in the case of MPLS being down, traffic between two sites going through VPN tunnel:

#route inside --> route traffic to other site through MPLS ( is the MPLS router)

if MPLS down, I need to route to subnet through VPN tunnel.

any suggestion would be very apprciated.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Wed, 05/12/2010 - 14:53

SLA tracking is your solution.

You have 2 interfaces, one is the mpls and the other is the backupvpn. Each one has a next hop.

You track the mpls next hop and if it fails you will fail back to the vpn next hop (establish VPN and go out encrypted etc).

Here is the link that explains how to set up sla tacking

I hope it helps.


alex goshtaei Wed, 05/12/2010 - 15:19

thanks for the reply.

but both MPLS and VPN must be route traffic at the same time. VPN interface is used for regular internet traffic and VPN tunnel, and MPLS link is used to reach to the remote site subnets. if MPLS down, I need route to remote site subnets going through VPN tunnel.

Panos Kampanakis Thu, 05/13/2010 - 06:59

OK, you can still do it.

You will track the MPLS routes that are prone to go down. You will also have secondary routes for the same destination subnets with lower priority using VPN next hop. In case tracking fails and the MLPLS routes go down you will use the lower priority ones kick in.

SLA tracking will do it. It is the same as in the link I sent but you would need to track all the MPLS routes and have corresponding fallbacks using the VPN.

The VPN routes that will always be used for VPN and internet will not play in the set up, these routes will stay there.

I hope it makes sense.



This Discussion