BOVPN Virtual Interface with Metric-Based Failover

Because you use routes to define what traffic to send through a BOVPN virtual interface, you can create more than one BOVPN virtual interface, and set different metrics for multiple routes to the same network. This enables you to configure BOVPN virtual interface routes through a primary tunnel that fail over to BOVPN virtual interface routes through another tunnel if the primary tunnel is not available.

Example Scenario

This example shows how to configure settings for two BOVPN virtual interfaces between XTM devices at Site A and Site B. This configuration uses different route metrics in the BOVPN virtual interface configuration to control which BOVPN virtual interface routes are preferred.

For this example, we assume that the device at Site A has two external interfaces, and that one of the external interfaces is the preferred route for outbound traffic to Site B, either because that interface is lower cost or has faster throughput. The second external interface is used for VPN traffic only when the primary external interface is not available.

Site A XTM Device

For this example, the Site A XTM device has two external interfaces, one trusted network, and one optional network.

Interface Type Name IP Address
0 External External 203.0.113.2/24
1 Trusted Trusted 10.0.1.1/24
2 Optional Optional-1 10.0.2.1/24
3 External External-2 190.0.2.2/24

Site B XTM Device

For this example, the Site B XTM device has one external interface, and one trusted network.

Interface Type Name IP Address
0 External External 198.51.100.2/24
1 Trusted Trusted 10.50.1.1/24

BOVPN Virtual Interface Configuration

The devices at each site must have two BOVPN virtual interfaces configured. One BOVPN virtual interface uses interface 0 (External) on the Site A device, and the second BOVPN virtual interface uses interface 3 (External-2) on the Site A device. Because interface 0 is the preferred interface for VPN traffic between these devices, the primary BOVPN virtual interface that uses interface 0 has routes with a low metric. This gives routes through the primary BOVPN virtual interface the highest priority, when that virtual interface is available. The same routes on the BOVPN virtual interface that uses the less-preferred external interface each have a higher metric, so these routes are only used if the routes through the other BOVPN virtual interface are not available.

The BOVPN virtual interfaces on each XTM device must be configured to use the same settings. For this example, we assume that Site A and Site B agree to use a pre-shared key. All other BOVPN virtual interface settings remain at the default values.

Site A BOVPN Virtual Interfaces

The primary BOVPN virtual interface at Site A uses these gateway settings:

Screen shot of the Gateway Endpoint configuration for the primary BOVPN virtual interface at Site A

The primary BOVPN virtual interface at Site A has one VPN route to the trusted network at Site B:

Screen shot of the VPN routes for the primary BOVPN virtual interface on the Site A device

The secondary BOVPN virtual interface at Site A uses these gateway settings:

Screen shot of the Gateway Endpoints configuration for the secondary BOVPN virtual interface at Site A

The secondary BOVPN virtual interface at Site A has one VPN route to the trusted network at Site B:

Screen shot of the VPN routes for the secondary BOVPN virtual interface on the Site A device

Site B BOVPN Virtual Interfaces

The device at Site B has two BOVPN virtual interfaces.

The primary BOVPN virtual interface at Site B uses these gateway settings:

Screen shot of the Gateway Endpoint configuration for the primary BOVPN virtual interface at Site B

The primary BOVPN virtual interface at Site B has two VPN routes to the trusted and optional networks at Site A:

Screen shot of the VPN routes for the primary BOVPN virtual interface on the Site B device

The secondary BOVPN virtual interface at Site B, uses these gateway settings:

Screen shot of the Gateway Endpoints configuration for the secondary BOVPN virtual interface at Site B

The secondary BOVPN virtual interface at Site B has two VPN routes to the trusted and optional networks at Site A:

Screen shot of the VPN routes for the secondary BOVPN virtual interface on the Site B device

How This Configuration Works

In this example, each XTM device has two BOVPN virtual interfaces to a peer XTM device. The routes configured for both BOVPN virtual interfaces are the same, except for the metrics. The XTM device uses the route with the lowest metric (highest priority). This means that:

If both BOVPN virtual interfaces are available

The XTM device uses the routes through the primary BOVPN virtual interface, because those routes have the highest priority (lowest metric).

If the primary BOVPN virtual interface is not available, but the secondary BOVPN virtual interface is available

The XTM device automatically changes the metrics for routes that use the primary BOVPN virtual interface to 255, to give these routes the lowest priority. The XTM device then uses the routes through the second BOVPN virtual interface, because those routes with a metric of 200 are now the highest priority routes to that destination.

When the primary BOVPN virtual interface becomes available again

The XTM device automatically changes the route metrics for routes through the primary BOVPN virtual interface back to the configured route metric, in this case 1. Traffic between the two sites automatically uses the routes through the primary BOVPN virtual interface because those routes now have higher priority.

You can optionally configure the XTM device to remove the route completely, rather than increase the metric when the route is down. For more information, see About Global VPN Settings.

See Also

Configure a BOVPN Virtual Interface

Configure VPN Routes

BOVPN Virtual Interface Configuration Scenarios

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base