Screen OS

Customer has two sites - each site has two circuits. One internet and one MPLS. An IPSec VPN connects the two sites. Traffic is routing fine between sites over the VPN.

Site - A 192.168.1.0

Site - B 192.168.3.0

The MPLS circuit is new and the customer wants the MPLS circuit to be the primary route between sites and the VPN as backup. 

Each SSG has a bridge group - the bridge group is the LAN gateway.

192.168.3.1

192.168.1.1

Here is the issue - the bridge group has ports that connect to the LAN switch and MPLS router on each firewall. As soon as I add a route with a more desirable preference to force traffic over the MPLS circuit - traffic starts dropping. The route that sends this traffic over the IPSec VPN route goes inactive which is normal and expected. Here are the new static routes:

 IP/Netmask                Gateway                           Interface

192.168.1.0/24         192.168.3.3                          bgroup0

192.168.3.0/34          192.168.1.20                       bgroup0

The gateways are the MPLS routers. 

When I run debugs they say no route found and try to send traffic out the VPN tunnel interfaces. Does this make sense? I think the problem is the fact that I am connecting the LAN and MPLS router to a bridger group which nullifies routing. 

Limitation: 

-Traffic is passing through clear route( Non VPN) it can failover to VPN route

-Traffic is passing through VPN route it cant failover to clear route( Non VPN)

If you have the preference for the clear route , it can failover to VPN. But right now you have already a session with VPN route and you would like to failover to the clear route , please do the "clear session" which would help you to pass the traffic.So whenever you have to failover from VPN to CLear route , you have to clear the session existing session to make it works.

Thanks

Atif