Cisco Support Community
Community Member

C3620, PIX-515, IPSec, and EIGRP

I have this scenario to fix :

c3620 (Spoke) <=> Frame Relay Circuit <=> c3640 (Hub)

c3620 (Spoke) <=> C2924 Switch <=> PIX-515 <=> ADSL Circuit <=> Internet

c3640 (Hub) <=> C5505 <=> PIX-515 <=> LEASED LINE <=> Internet

I hope thats clear !

Now my issue is this. The current setup does not have a VPN tunnel, therefore traffic from Site A (left/spoke) passes to Site B (right/hub) via the Frame Relay link and internet traffic from Site A goes out via the PIX515-a firewall.

Now what I want to do is create a VPN Tunnel between pix515-a (spoke) and pix515-b (hub) that will act as the primary conduit for data, yes I know this sounds daft, but I want the VPN to carry the traffic between sites with the Frame Relay link acting as a backup conduit.

I can create the VPN tunnel and get traffic to pass, thats not my problem, my problem is getting the Frame Relay circuit to act as the backup circuit. If the PIX could use HSRP then I would be okay, but I am at a loss on this one.

Any suggestions?, my gut feeling is that this just will not work. Any suggestions on how to make it work would also be gratefully accepted.




Re: C3620, PIX-515, IPSec, and EIGRP

See if you can enable RRI on the pix. RRI stands for reverse route injection. THis feature is available on the VPN conc, but am not sure if its there on the pix.

Enable RRI (reverse route injection) on the pix, when you create the tunnel. This will create a static route for every remote network that the tunnel takes traffic to, and this route is automatically distributed into a dynamic routing protocol such as RIP. Now this route will be received by the 3640 and you can add a backup route via the frame ( a static route) with a higher administrative distance than the current routing protocol in use. This static route will kick in only when the RRI route gets removed (which happens when your internet connection goes down).

Hope that helps!

Community Member

Re: C3620, PIX-515, IPSec, and EIGRP

Thanks for the answer. Unfortunately RRI is not supported on the PIX, only on routers and VPN Concentrators.

Thanks anyway,


Re: C3620, PIX-515, IPSec, and EIGRP


Yeah, you cannot enable RRI yet on the PIX. Hopefully some time soon they bring this feature to the PIX.

Run a routing protocol through the tunnel. Make sure you unicast the packets to the neighbor. (neighbor command). You should open up the required protocol/port numbers for the routing protocol on the pix.

configure a static route on the routers to use the frame as backup route (floating static - configure a higher admin distance).

I havent tried this yet, but you could definitely give it a try.

Protocols such as EIGRP would expect the neighbor to be on same subnet, so you might have to end up running RIP on the tunnel and use neighbor command uner RIP, to unicast the updates.

Or else you could create a Tunnel interface on eithe routers and run a routing protocol such as EIGRP on the tunnel interface. You should also permit the tunnel traffic to go through the VPN.

Hope this helps.

CreatePlease to create content