BGP is configured on CE Routers inter-connecting to Routers A and B via MPLS circuit see attached diagram , EIGRP is also configured on the same CE Routers and EIGRP routes are redistributed into BGP.   Routers A and B are only running EIGRP.

This is route entry for subnet at site A taken from router B

Routing entry for 10.136.21.0/24  <--- Site A Subnet
  Known via "eigrp 1", distance 170, metric 25600512
  Tag 64517, type external
  Redistributing via eigrp 1
  Last update from 10.136.63.53 on GigabitEthernet0/0, 5d22h ago
  Routing Descriptor Blocks:
  * 10.136.63.53, from 10.136.63.53, 5d22h ago, via GigabitEthernet0/0
      Route metric is 25600512, traffic share count is 1
      Total delay is 20 microseconds, minimum bandwidth is 100 Kbit
      Reliability 255/255, minimum MTU 1500 bytes
      Loading 1/255, Hops 1
      Route tag 64517

If all tunnels to VPN Router at Site B are shutdown apart from tunnel between Site A  and B, I get asymmetric routing issues with RDP ,  If I RDP from site C to Server in Site B.   Traffic is routed via Site A to Site B via MPLS and return traffic coming back via VPN tunnel from Site A to C. 

If direct VPN tunnel from Site C to Site B is up , traffic destined for Site A goes via Site B across the MPLS to Site A instead of taking direct tunnel to Site A from Site C.

I do also have static routes configured pointing to subnets on LAN on Routers A and B as there is no EIGRP configured on LAN switches.   Is this main reason for routing issues ?

I can think of two ways to resolve this.  The hard way and the easy way.

The easy way is to create a GRE tunnel over the MPLS cloud between 'A' and 'B', run EIGRP over it, and then turn BGP completely off.

Yes tried using off-set lists, PBR, delay commands and tunning individual tunnels on main A and B VPN routers but could not get it right. One change affects another. 

I can put in change request with ISP to implement GRE but will local traffic between A and B routers to use MPLS link and all other traffic to go VPN ?

You don't need to ask the ISP to do anything.  You can build the GRE tunnels directly off your exist hub routers (the ones running EIGRP already).

Ideally the tunnels themselves should use the MPLS interface IP addresses as the source and destination, then the MPLS network does not need to know about any of your network routes.

You should be able to bring up the tunnels yourself, verify it is working, and then drop the BGP yourself.

And yes, getting back to only using one routing protocol will make things simple.

I have a /30 point to point address source from local 10 network at site A and site B configured between Router A and CE router and not public IP.  This the same for Router B.   Does this matter ?  

Also the latency is about the same but slight less with MPLS so this will make it the preferred route over VPN ?  Both links are 30Mbps at Site B.

Also no chance of getting a routing loop again between sites with two links ?

As long as you can ping from the /30 to the other /30 that is all you need.  THis would be your tunnel IP addresses.

EIGRP will first select the route with the best bandwidth.  So on the Tunnel interface simply use the "bandwidth" command, and specify a bandwidth higher than being used on the other tunnels (you can even use the actual MPLS bandwidth).

To avoid a routing loop create static "permanent" routes for each remote tunnel endpoint address on both routers.  For example, if the remote /30 tunnel IP was 192.168.255.2, and the next hop is 10.0.0.1, add:

ip route 192.168.255.2 255.255.255.255 10.0.0.1 permanent

I think your right this will resolve issue as we already have a fully messed GRE VPN on the network only difference is having two tunnels going between same sites.  

I will give this a try and give you and update once configured and tested hopefully by end of week.  

Hi Philip,

Created GRE tunnel over MPLS but the tunnels failed to come up they went in recursive loop. Had to put in access-list to stop it learning route via tunnel. 

Also had to add delay statement on Gig0/0 on both A and B MPLS routers to stop this interface from being preferred over the GRE tunnel that was created.  So I'm not sure if i need to get ISP to remove EIGRP on CE router as without delay traffic starts going via MPLS but this creates asymmetric routing issues again. Traffic still prefers to go via VPN.

However the asymmetric issue has been resolved by GRE tunnel but I cannot get Site A and Site B local traffic to prefer GRE tunnel over MPLS.   If I remove delay statement on external interface Gi0/0 on MPLS router the traffic starts to go via MPLS not GRE tunnel over MPLS.  But return traffic will always come back via VPN.  

If I get ISP to remove EIGRP on MPLS will that help ?  

At the moment EIGRP metrics are saying the direct VPN is faster than the MPLS or GRE VPN over MPLS.  

You don't want the MPLS stub interfaces to be included in the EIGRP routing database.  You should just be able to remove the network lines that relate to this.

You should be able to stop talking a dynamic routing protocol with the service provider MPLS routers.  Can you not just remote the "network" lines in EIGRP that cause it to speak on this link?

If you can't do this, then yes, ask the ISP to turn off EIGRP facing towards you.

EIGRP will prefer the tunnels with the highest bandwidth, as configured with the "bandwidth" command first.  "show interface tunnel x" will tell you what the reported bandwidth is.  Make sure you specify a higher bandwidth on both ends of the tunnel that runs over the MPLS network.

Hi Philip,

I made some adjustments to the bandwidth statement on tunnels and other HSRP priority making MPLS gig 0/1 active and VPN standby.   The local traffic seems to be routing fine now over MPLS/GRE and no asymmetric issues with GRE over MPLS.  Just got performance testing tomorrow but in any case all look good.   Let's hope it stays that way when we do a failover.

Thank You !!!

You're welcome.  Although this seemed bit tricky, it's 10 times simpler than doing it the other way.

Plus it is much easier investigating faults and changing routing policy when there is only one routing protocol in use.

Yes unfortunately I assumed all was working fine but Internet failed at Site A.  Since changing HSRP to make MPLS the Active Router on Gig0/1 to LAN.  At Site B MPLS Router is Active already and everything is working fine.   I had to make VPN router at Site A the Activer router on Gig0/1.   Internet works fine now.  

Internet should route via VPN Router and Internal traffic between Site and B should go via MPLS.  

So now I have Site B routing to Site A via MPLS correctly but Site A routing to Site B is going via VPN.     However since GRE over MPLS I don't get asymmetric routing issues.   

I assume RDP traffic initiated via Site B to Site A servers goes via MPLS tunnel and also the return path is the same that's why its working ?

If we wanted to host the majority of Site B applications in at Site A, and throw SIP trunking between the phones into the mix, traffic levels between the two sites will increase significantly,  will this still work fine with Site B only routing via MPLS to Site A ?

I am thinking SIP trunking would have worked just using GRE VPN over Internet and not over MPLS ? Not sure if MPLS was a good buy am I incorrect ?

If everything is running EIGRP between al of your own kit then it should world.  However you could consider using HSRP tracking to make HSRP fail over automatically if there is an issue.

As long as the ping and jitter times stay stable it should be fine.  You are not likely to have any issues.