Route-Map Problem

I am having problems getting an internal router to correctly failover to the right interface using a route-map. This is my network setup.


| |

Serial0.44 Serial0.44

\ /

\ ----------------Private Frame Cloud--------------------------- /

The scenario is to use a VPN tunnel so that all traffic from Network B going to

a server ( on Network A use the Internet rather than the Private Frame Cloud. Traffic from the Network A server should return across the Internet to Network B ( Should the link to the Internet go down on either Network A or Network B then traffic to the server would revert back to using the Private Frame Cloud.

Currently, I have the VPN tunnel between both Pixes working to send the traffic from Network B to Network A over the Internet. In testing, the traffic from Network A correctly uses the Pix as the next-hop in returning traffic for just the server to The problem is that if the Network A Pix is disconnected the route-map continues to try to send the traffic to the Pix regardless of having a second next-hop address of the Serial interface of the cloud.

In researching the issue on newsgroups, it was mentioned that this is not possible using a Pix as the next-hop when the Pix goes down. The post said that on a LAN, the Cisco router can't tell that the Pis has failed, so it will never drop that default route and switch to the backup route. That seems to be exactly what is occurring.

How do I get around that? One thing that I tried was to set up BGP between the Network A Inside and Border routers so that the next-hop for the Inside router would be the Border Router address. However, the problem there is that the next-hop ip address must be adjacent. Consequently, the route-map fails using the Border-Router IP address and never uses the Pix.

Here is the Network A information that partially works when using the Pix as the next-hop.

Pix Inside address is

interface Ethernet0

ip address

no ip mroute-cache

no ip route-cache

ip policy route-map colvpn


interface Ethernet1

ip address

no ip mroute-cache

no ip route-cache


ip route

access-list 110 permit ip host

route-map colvpn permit 10

match ip address 110

set ip next-hop


route-map colvpn permit 20

Any suggestions? Thanks.


Re: Route-Map Problem

Look into setting up one tunnel between the 2 routers over the internet (tunnel0) and one over the private frame network (tunnel1). Run eigrp over both of them (or run eigrp over the frame and rip over the internet, as eigrp would be preferred). When the tunnel drops, eigrp (or rip) will drop, and the other path will be selected. Have the default route still pointing to the internet and a default route with a higher metric pointing to the private frame network. Then you can add your policy route-map, pointing to the internet tunnel endpoint with the frame tunnel end point as the backup.

Hope it helps


