How to setup a failover VPN line in case the leased line failx

Hi all

We're managing a network consisting of 1 HQ and 4 remote sites.  The remote sites are connected via a leased line of 2 Mbps.  The remote sites have got 1 small Cisco router provided by the telco provider which provides the connectivity to the HQ.  The HQ itself has got 2 (or maybe 3) Cisco routers which provide the connectivity to the remote sites.

What we want is an economic failover for the connectivity in case a leased line goes down (which happens too often, although we've got a SLA with the provider).  Anyway, we were thinking of purchasing a separate Internet Line in each site (incl HQ) and a small appliance doing VPN (Astaro, Juniper or that kind of stuff).

The problem would be to tell the network/client that the leased line is down and to route the traffic through the VPN line.

What's the best way to do that?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In any case, you shouldn't think about clients making aware that the leased line is down and that the route to the same destination has been changed. Otherwise you have to change the client's default gateway in Site A to the VPN router, but you also have to make Site HQ aware that Site A is not available through leasedline, but now through the VPN router. This is of course also a technically working solution, but I believe that the SLA with your provider is much quicker than the manual change of your network architecture to get it running that way.

Acquire a bunch of routers and implement for example OSPF. A description can be found here:

OSPF is not really easy implement, a trial on error may work out however. In any way: Keep in mind that you probably need access to your 3th party managed cisco devices to set it up for OSPF.

NEXPERT-AGAuthor Commented:
Hi Stefan

Thank you for your reply.

I was thinking more of a redundant gateway with two physical devices (each connected to the existing Cisco router and the new SDSL VPN line) which automatically detect if the leased line is down, if so tthen re-route the traffic through the SDSL VPN line.  Once the leased line is up again, re-route the traffic back from the VPN line to the leased line.

The problem with buying a bunch of routers is the money, of course (just too expensive).

What we want is a connection from the remote sites to the headquarter (HQ) even if the expensive leased line should go down.  That's why our approach was to have a separate SDSL line from a different ISP and a cheap VPN appliance on both sites.

We don't want to make any manual changes to the system (e.g. change the default gateway of all PC's, server etc) should the leased line go down.  

Did anyone implement such a scenario?
You can use DMVPN as a solution to your problem. It can work together with dynamic routing protocols. Basically, it is hub and spoke topology. You have central router (HUB) at your HQ and small routers (SPOKES) at your remote sites, all connected to internet. Only requirement is to have static public IP at your HUB router. I have this topology running using Cisco 1800 at HQ and Cisco 876 at 40 remote sites. There is a lot of documentation about DMVPN on . I think that you don't need to buy additional hardware for your remote sites, as even 870 series can run DMVPN, so you can use existing routers on remote sites.
NEXPERT-AGAuthor Commented:
Thank you bjove for your input.

But what happens if a Cisco Router in the SPOKES site goes down?  I mean we also would need to have a redundant, physical Cisco Router in every SPOKES site.  I assume that Cisco has got some kind of redundancy feature with a heartbeat connection or so where they check each other if they are up or not?

Do you use DMVPN also just for redundancy?
In every remote site I have 2 Cisco 876, and 2 Cisco 1840 in HQ. One Cisco 876 from remote site is connected with serial (leased line) line to one of the 1840s in HQ. Second Cisco 876 from remote site is connected through ADSL internet line to second 1840 in HQ, used as backup link to HQ. I have EIGRP as routing protocol. EIGRP takes care about redundancy. Also for hardware failover on remote site, HSRP is configured on both Cisco 876 routers.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.