Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


How to setup a failover VPN line in case the leased line failx

Posted on 2010-09-16
Medium Priority
Last Modified: 2012-05-10
Hi all

We're managing a network consisting of 1 HQ and 4 remote sites.  The remote sites are connected via a leased line of 2 Mbps.  The remote sites have got 1 small Cisco router provided by the telco provider which provides the connectivity to the HQ.  The HQ itself has got 2 (or maybe 3) Cisco routers which provide the connectivity to the remote sites.

What we want is an economic failover for the connectivity in case a leased line goes down (which happens too often, although we've got a SLA with the provider).  Anyway, we were thinking of purchasing a separate Internet Line in each site (incl HQ) and a small appliance doing VPN (Astaro, Juniper or that kind of stuff).

The problem would be to tell the network/client that the leased line is down and to route the traffic through the VPN line.

What's the best way to do that?
Question by:NEXPERT-AG
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 33694049
In any case, you shouldn't think about clients making aware that the leased line is down and that the route to the same destination has been changed. Otherwise you have to change the client's default gateway in Site A to the VPN router, but you also have to make Site HQ aware that Site A is not available through leasedline, but now through the VPN router. This is of course also a technically working solution, but I believe that the SLA with your provider is much quicker than the manual change of your network architecture to get it running that way.

Acquire a bunch of routers and implement for example OSPF. A description can be found here:

OSPF is not really easy implement, a trial on error may work out however. In any way: Keep in mind that you probably need access to your 3th party managed cisco devices to set it up for OSPF.


Author Comment

ID: 33695923
Hi Stefan

Thank you for your reply.

I was thinking more of a redundant gateway with two physical devices (each connected to the existing Cisco router and the new SDSL VPN line) which automatically detect if the leased line is down, if so tthen re-route the traffic through the SDSL VPN line.  Once the leased line is up again, re-route the traffic back from the VPN line to the leased line.

The problem with buying a bunch of routers is the money, of course (just too expensive).

What we want is a connection from the remote sites to the headquarter (HQ) even if the expensive leased line should go down.  That's why our approach was to have a separate SDSL line from a different ISP and a cheap VPN appliance on both sites.

We don't want to make any manual changes to the system (e.g. change the default gateway of all PC's, server etc) should the leased line go down.  

Did anyone implement such a scenario?

Expert Comment

ID: 33696904
You can use DMVPN as a solution to your problem. It can work together with dynamic routing protocols. Basically, it is hub and spoke topology. You have central router (HUB) at your HQ and small routers (SPOKES) at your remote sites, all connected to internet. Only requirement is to have static public IP at your HUB router. I have this topology running using Cisco 1800 at HQ and Cisco 876 at 40 remote sites. There is a lot of documentation about DMVPN on . I think that you don't need to buy additional hardware for your remote sites, as even 870 series can run DMVPN, so you can use existing routers on remote sites.

Author Comment

ID: 33700010
Thank you bjove for your input.

But what happens if a Cisco Router in the SPOKES site goes down?  I mean we also would need to have a redundant, physical Cisco Router in every SPOKES site.  I assume that Cisco has got some kind of redundancy feature with a heartbeat connection or so where they check each other if they are up or not?

Do you use DMVPN also just for redundancy?

Accepted Solution

bjove earned 2000 total points
ID: 33702238
In every remote site I have 2 Cisco 876, and 2 Cisco 1840 in HQ. One Cisco 876 from remote site is connected with serial (leased line) line to one of the 1840s in HQ. Second Cisco 876 from remote site is connected through ADSL internet line to second 1840 in HQ, used as backup link to HQ. I have EIGRP as routing protocol. EIGRP takes care about redundancy. Also for hardware failover on remote site, HSRP is configured on both Cisco 876 routers.

Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question