SD-WAN Failover from an MPLS Link to a BOVPN Virtual Interface Tunnel

With SD-WAN, the Firebox can dynamically route traffic based on the performance of your network connections. For applications that are sensitive to network performance, such VoIP, RDP, and video conferencing applications, SD-WAN can help make sure those applications perform well and are highly available.

In this example, a company with VoIP traffic between sites wants users to experience high-quality, reliable voice calls over a secure connection. To achieve these goals, the company dedicates an MPLS link to VoIP traffic. If network issues such as high loss, latency, and jitter occur on the MPLS link, the company wants VoIP traffic to fail over to another interface. To help reduce costs, the company wants to use a BOVPN virtual interface tunnel as a backup connection instead of a secondary MPLS link.

This configuration example shows metric-based SD-WAN routing on a distributed enterprise network with hybrid WAN connections. Site A (Headquarters) has a Firebox. Site B (Branch Office) has either a Firebox or a third-party firewall.

To implement this configuration, your Firebox must run Fireware v12.4 or higher.

Network Topology

This diagram shows the network topology for this example. The firewall at Site B can be a Firebox or a third-party firewall.

How It Works

A VoIP policy and SD-WAN action route VoIP traffic over the MPLS link.

The Firebox sends Link Monitor probes to remote hosts to monitor the availability and network performance of the MPLS link. Network performance metrics include loss, latency, and jitter. You can select to use one or more metrics, and you can specify values for metrics.

If the MPLS link becomes unavailable, or if metrics exceed the values you specified, VoIP traffic fails over to the BOVPN virtual interface.

If the MPLS link becomes available again, or if metrics no longer exceed the values you specified:

  • The MPLS interface becomes the preferred interface again.
  • If you selected the Immediate Failback option in the SD-WAN action, all VoIP traffic immediately fails back to the MPLS interface.


In our example, we assume both sites initiate VoIP traffic. For example, VoIP devices at Site A initiate traffic to Site B. At Site B, VoIP devices initiate traffic to Site A. On your network, only one site might initiate traffic.

On the Firebox at Site A and the firewall at Site B, configure these interfaces:

  • An internal interface configured for the MPLS link
  • A BOVPN virtual interface (VIF) tunnel to the remote site

Site A Firebox

Site B Firewall (Firebox or Third-Party Device)

The device at Site B can be a Firebox or a third-party device. In our example, we show a Firebox configuration.

See Also

About SD-WAN

Configure SD-WAN

About SD-WAN Methods

SD-WAN Monitoring, Status, and Manual Failback (Firebox System Manager)

SD-WAN Status and Manual Failback (Web UI)