Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
3
Replies

EIGRP with Failover VPN Tunnels

wvdemaria
Level 1
Level 1

‎07-19-2010 07:38 AM - edited ‎03-04-2019 09:06 AM

I have a network with 2 data centers and 100 VPN connected remote sites.  All of the remote sites build a VPN tunnel to the primary data center (Site A), though if that site is unavailable, they will build the tunnel to the alternate data center (Site B).  Between the two data centers is a point-to-point connection.

Currently, we have EIGRP running between the two data centers (and their associated VPN routers).  This re-routes traffic properly if the VPN router at Site A goes down, but only if the router is dead.  If the Internet link to that site goes down, the remote site properly re-build tunnels to Site B but EIGRP still advertises the routes from Site A's router.

Our current process is if we lose Site A's Internet connectivity, we quickly add a static route at one site to allow traffic to flow properly.  Ideally, EIGRP would handle the failover VPN routing without intervention.

I have attached a picture to describe the connectivity.

VPNTopology.jpg

Labels:
0 Helpful
3 Replies 3

r-garrison
Level 1
Level 1

‎07-19-2010 08:00 AM

I believe the functionality you are looking for is called "Reverse Route Injection".  This is available on both the ASA's and IOS.  I'm assuming you are using routers, so here's the link for reverse route injection for IOS:  http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_rev_rte_inject.html

Basically what this does is dynamically build static routes for the terminated encryption domains at your end-sites (it tears the routes down when they are unreachable).  When they go down on router "A", and re-establish on router "B", the "dynamic static routes" should follow.  Check it out!

Thanks,

Robby

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎07-19-2010 11:10 AM

There is probably something in your situation that I am not understanding. It seems to me that for the situation where the remote connects to A and uses B as a backup that the desired behavior is that if A loses connectivity that B should advertise routes from A and with B as the next hop.

I have a customer with over 400 remote office locations where each remote office has a tunnel to A and a tunnel to B. They run EIGRP over the tunnels. Both A and B advertise similar prefixes with a metric that makes A preferable. If there is a problem with Internet connectivity from A (or some other problem on A) then the EIGRP Hellos from A stop and the remote removes that EIGRP neighbor and immediately starts to use routes from B. They find that failover is automatic, fast, and very effective. I would think that the same kind of thing might work for you.

HTH

Rick

HTH

Rick
0 Helpful

mdazhar
Level 1
Level 1
In response to Richard Burts

‎07-19-2010 03:15 PM

Hello wvdemaria

Can you post your complete configuration to support you.

ensure all password are removed.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card