Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Backup VPN for MPLS failover

I have a multi site network with each site connected via MPLS and each site with a separate dedicated Internet circuit. I am installing FG100Ds at most sites with the larger sites getting 300Ds. All running 5.0.9. I am trying to set up a VPN mesh between all sites to use for MPLS failover. The problem I am running into is the routing changes that need to occur on both sides of the tunnel when the MPLS failure occurs.


Some details...


The FG at each location is used for Internet traffic only. All internal routing is done with a core switch at each location. IP SLAs are already configured on the core switches for failover. The FGs also have a static route for each location so that we can access them on the inside from any location. We also are doing Internet failover at each site to the MPLS at our central DC so we need to have the MPLS routes defined on the FGs for that purpose.


For the sake of an example, let's just use two sites:


Site A -

Site B -


The FG at both sites have dual routes for the remote network, one with a gateway of the MPLS router and one for the VPN tunnel. I have tried setting up dead gateway detection as well as route priorities to trigger the routing changes in the event of a failure. That method does work but only on one side of the tunnel. So if Site B has an MPLS failure, the DGD detects that and changes the routing to send traffic destined for Site A over the VPN tunnel. However, Site A's MPLS is still UP so the routing never changes and traffic coming in over the VPN is trying to send back out over the MPLS.


I am looking for a way that an MPLS failure at Site B would trigger a routing change at both Site B and Site A so that all traffic gets sent over the VPN tunnel. And then obviously fails back to MPLS once MPLS is back up at the Site B.


Is that possible? 



New Contributor

I may have come up with a solution for this. 


While I want all of the traffic to pass over the MPLS if it is up, really the only traffic going to/from the FG is admin access and FM/FA traffic. So if I set the VPN route to a higher preference, all traffic will go over the VPN. Then I can do a DGD on the VPN interface and ping the remote side. If the tunnel goes down (meaning the Internet would most likely be down at that site), the DGD would failover to the MPLS route which would allow for the backup Internet routing to work.


In the case of an MPLS failure, the IP SLA on my core switches would kick in and start routing traffic to the FG which is already set to route traffic over the VPN.


Only downside is that FA/FM traffic would utilize bandwidth on my Internet links. But I could do a policy route to force those over MPLS as well. 


I don't want to get too complicated with this set up so I think this will work. Unless some big brain comes along with a better idea. 

Top Kudoed Authors