Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1448
Views
0
Helpful
6
Replies

Site to Site VPN as a backup

Go to solution
mwkirk
Level 1
Level 1

‎04-13-2010 09:48 AM

Was wondering if anyone has any suggestions for a configuration I am trying to get going.

What I have is a Colo Data Center that is connected back to multiple sites via MPLS.  Internet access is through the Colo for all sites. In case of a failure of the MPLS I am trying get an automated VPN to come up that would connect from an Adtran router with with a Verizon Wireless Card in it.  I have the VPN up and that works.  It is the automation piece that I am trying to figure out.  So, currently the Pix has static routes that point everything towards the MPLS router for all of the sites.  Everything else uses the MPLS router as a DGW and then the DGW for the MPLS is the Pix.

If there is a failure the VPN will come up but then there are the routes on the Pix that will just push everything back towards the MPLS.  The provider is saying to put higher metric routes for the statics back to the MPLS but higher than what?  When the VPN comes up there aren't really any routes there to push the traffic across the VPN.

The thought I had was that since the managed MPLS router at the colo is a Cisco router to have the provider redistribute the BGP routes back out to EIGRP which the Pix could pick up.  In the case of a failure once EIGRP was updated there would be no route towards the MPLS and everything would just route out the DGW which would be the Pix.

Anyone dones anything like this before that might have some ideas?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10
In response to mwkirk

‎04-16-2010 08:06 AM

A simple delay sensitive solution will be IP SLA in the PIX/ASA.  When the MPLS interface of SiteA is unreachable,

a static route in the PIX/ASA pointing into the VPN tunnel becomes active.  When the MPLS interface is available again,

then the route is removed.

HTH>

Andrew.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
andrew.prince
Level 10
Level 10

‎04-15-2010 01:35 AM

You issue is unclear - your statement

So, currently the Pix has static routes that point everything towards  the MPLS router for all of the sites.

Everything else uses the MPLS  router as a DGW and then the DGW for the MPLS is the Pix.

This sounds like a big loop to me?

0 Helpful

Go to solution
mwkirk
Level 1
Level 1
In response to andrew.prince

‎04-16-2010 07:30 AM

Thanks for responding.  The static routes point back into an MPLS net.  There is one of the MPLS sites that we want to install a router (Adtran) with a Verizon EVDO card installed that will be for a backup link.  So, if the MPLS goes down then the backup router link will come up and make a VPN connection to the firewall.

Here is a quick diagram I threw together.  Hopefully, this doesn't confuse things more:

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to mwkirk

‎04-16-2010 07:55 AM

Thanks for the diagram, but now a can of worms has been opended!!

When you say "So, if the MPLS goes down" do you mean JUST the mpls link to the PIX firewall???

What if the mpls link from the PIX firewall & the mpls link sot site A also goes down....How do sites

B & C continue to work? and have access to the internet?

0 Helpful

Go to solution
mwkirk
Level 1
Level 1
In response to andrew.prince

‎04-16-2010 08:02 AM

Right now we are specifically looking at doing the backup for Site A.  It might extend to other sites at a later date but Site A has had some issues with the MPLS connection going down.  So for now we are specifically looking to protect against a failure of the link to the MPLS at Site A.

I can get the VPN up and running but my issue is how to handle the routing at the firewall.  If I have static routes in there to point the Site A addresses towards the MPLS then when the VPN comes up in case of a failure it will still try to push the traffic towards the MPLS which will now be down.

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to mwkirk

‎04-16-2010 08:06 AM

A simple delay sensitive solution will be IP SLA in the PIX/ASA.  When the MPLS interface of SiteA is unreachable,

a static route in the PIX/ASA pointing into the VPN tunnel becomes active.  When the MPLS interface is available again,

then the route is removed.

HTH>

Andrew.

0 Helpful

Go to solution
mwkirk
Level 1
Level 1
In response to andrew.prince

‎04-19-2010 11:25 AM

That's pretty slick....I think that could work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents