I am glad that we are making progress and that the vpn now does work on the Gig interface. 

In your situation where you are using the loopback address as the peer address and have 2 paths to the remote peer, the key to failover (and to fail back to primary) is in the routing. Am I correct in understanding that your router is learning routes to the remote peer (probably using a default route) via OSPF running on the Gig interface? And am I correct in understanding that when you take out the cable that OSPF stops learning routes to the remote peer? 

To solve this you will need a route to the remote peer that goes through the cellular interface. The easy solution would be to configure a floating static route (a static route with a high administrative distance) to the remote peer going over the cellular interface. This floating static route would need to be for the same prefix that is learned by OSPF. (if OSPF is learning a default route then your floating static needs to be a default route, if OSPF is learning a route to the subnet then your floating static needs to be a network, if OSPF is learning a host specific route then your floating static needs to be host specific)

So the key to getting failover to work is that OSPF will normally provide a route to the remote peer address. When you take out the cable (or there is some other problem that impacts OSPF) and the OSPF route is no longer in the routing table then the floating static should be used which will send traffic to the remote peer using the cellular. And when OSPF starts to work again and learns the route to the remote peer then the floating static is removed from the routing table and your vpn traffic will start using the Gig interface automatically.

HTH

Rick

Hello,

the command Richard posted in addition to applying the crypto map to the loopback interface should work...

I appreciate the updated config posted while I was writing my response. Looking through it I realize that there is something else that we need to discuss. My suggestion about making failover work focused on what you need to do on your router. But we also need to address what happens on the remote peer. If OSPF stopped learning the remote peer address then OSPF would also stop advertising your loopback address which the remote device uses. So what should be done for the remote device? We do not know anything about that remove device and so it is difficult to give good advice. Perhaps the solution there is similar to the floating static used on your router?

There is perhaps a bigger question which should be addressed. In normal operation you are using OSPF which knows about subnets in your network, about your remote peer, and probably about routes to the Internet. What happens when OSPF stops? When the cellular connection is activated, what does it connect to? Does that connection know about the rest of your network? Does that connection know how to get to your remote peer? Will the remote peer be able to send traffic that will get to your cellular connection to get to your loopback?

HTH

Rick

Good Points the Remote VPN gateyway will not know where the Device is when it switches over to the Cellular interface, as its a firewall that routes to a 4500-X with a static route.

So i guess i could add the same router in the 4500-X (it use ospf to find gi0/0/0.903) ? and that should work i think. 

how would i formulate a route that would be lower then the OSPF? ( i am very new to this) 

I am not clear about the topology of your network, and especially about how the cellular interface will operate. What does it connect to? If an IP packet is sent out that cellular interface would it have IP connectivity to the rest of your network? Would the 4500-X have IP connectivity to it and be able to forward traffic to the cellular interface? Would you want to run a dynamic routing protocol over the cellular interface?

How to configure a floating static route is fairly simple. It is a static route which includes an optional parameter for Administrative Distance. It might look something like this

ip route 0.0.0.0 0.0.0.0 cellular0/2/0 250

The 250 is the AD and makes this less preferable than the OSPF route.

HTH

Rick

So well the Visio we added is a bit of a lie, the trafic is going thrue the 4500-X 

the 4500-X our Core router in the network and it can for exampel rech the 10.241.1.21 IP. 

But as you said the VPN Gateway (10.240.240.1) will not find the loopback anymore as it static routes just tells it to look at the 4500-X 

so adding a route in the 4500-X should work? 

ip route 10.220.220.1 255.255.255.255 10.241.1.21 250 ?

if i run "show ip route" in the 4500-X

"S 10.241.0.0/16 [1/0] via 10.0.64.7"

Thanks for the additional information. It is good that the 4500-X has a route for 10.241.0.0. An important question is whether the core has IP connectivity to the IP address of your cellular interface? Can the 4500-X ping to 10.241.1.21? If it can then your suggested route ip route 10.220.220.1 255.255.255.255 10.241.1.21 250 should work. 

HTH

Rick

4500Xj#ping 10.241.1.21 source vlan 1000 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.241.1.21, timeout is 2 seconds:
Packet sent with a source address of 10.240.240.5
!!!!!

Yes it can, but still it cant find the loopback 010.220.220.1 

From 4500X

"S 10.220.220.1/32 [250/0] via 10.241.1.21"

but 10.241.1.21 can ping to  10.240.240.1 and vice versa 

From ISR-1100

S* 0.0.0.0/0 is directly connected, Cellular0/2/0
10.0.0.0/32 is subnetted, 2 subnets
C 10.220.220.1 is directly connected, Loopback0
C 10.241.1.21 is directly connected, Cellular0/2/0

Thanks for the information. It is puzzling that things seem right but the vpn does not work. with the cable unplugged would you post the output of show crypto ipsec sa?

Also from the 1100 router would you post the output of traceroute 10.240.240.1. And would you post the output from a PC in the LAN of tracert to an address in the remote Lan?

HTH

Rick

Morning

4500X-dc-sj#traceroute 10.241.1.21
Type escape sequence to abort.
Tracing the route to 10.241.1.21
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.64.9 4 msec 0 msec 8 msec
2 10.65.138.201 0 msec 4 msec 0 msec
3 146.172.81.137 12 msec 8 msec 12 msec
4 146.172.99.249 12 msec 8 msec 12 msec
5 146.172.98.45 24 msec 8 msec 12 msec
6 146.172.98.57 8 msec 8 msec 12 msec
7 10.241.1.21 68 msec 548 msec *
4500X-dc-sj#traceroute 10.220.220.1
Type escape sequence to abort.
Tracing the route to 10.220.220.1
VRF info: (vrf in name/id, vrf out name/id)
1 10.0.64.9 0 msec 0 msec 4 msec
2 10.0.64.2 0 msec 4 msec 0 msec
3 10.0.64.9 4 msec 0 msec 0 msec
4 10.0.64.2 0 msec 4 msec 4 msec
5 10.0.64.9 0 msec 0 msec 4 msec
6 10.0.64.2 4 msec 0 msec 4 msec

Just did a traceroute from my 4500-X and to me it looks like the ISP is sending back everything to me, 10.0.64.2 = one of my 4500-x and 10.0.64.9 the ISPs router. 

so i think if this is going to work they need to have route on there said ? 

Agree that the output looks like there is an issue getting through the ISP when attempting to get to the peering address.

HTH

Rick

(identity) local= 10.240.2.238:0, remote= 10.240.240.1:0, 

So should not my request come from 10.220.220.1 my Firewall has that peer setup so when its coming from 10.240.2.238  the Firewall will not accept it?