Hi @Georg Pauwen 

My mistake, Apologies , I copied the wrong router config .

Please see existing config with full tunnel -

Current configuration : 14578 bytes
!
! Last configuration change at 18:21:52 EST Wed Jul 29 2020 by 
! NVRAM config last updated at 18:21:55 EST Wed Jul 29 2020 by 
!
version 15.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot system flash:c890-universalk9-mz.154-3.M9.bin
boot-end-marker
!
!
logging buffered 1000000
no logging console
no logging monitor
enable secret 5 
!
aaa new-model
!
aaa session-id common
clock timezone EST -5 0
!
crypto pki trustpoint TP-self-signed-1332423565
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1332423565
revocation-check none
rsakeypair TP-self-signed-1332423565
!
!
crypto pki certificate chain TP-self-signed-1332423565
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 
quit
!
no ip source-route
no ip gratuitous-arps

!
ip dhcp excluded-address 10.27.20.250 10.27.20.254
ip dhcp excluded-address 10.27.140.250 10.27.140.254
ip dhcp excluded-address 10.27.145.250 10.27.145.254
ip dhcp excluded-address 10.27.10.220 10.27.10.254
ip dhcp excluded-address 10.27.130.21 10.27.130.254
ip dhcp excluded-address 10.27.120.11 10.27.120.254
ip dhcp excluded-address 10.27.50.240 10.27.50.254
ip dhcp excluded-address 10.27.50.1 10.27.50.199
!
ip dhcp pool private
network 10.27.10.0 255.255.255.0
default-router 10.27.10.254
domain-name ***
netbios-name-server 10.10.40.202 10.30.40.27
dns-server 10.10.40.202 10.30.40.27
!
ip dhcp pool wireless
network 10.27.140.0 255.255.255.0
default-router 10.27.140.254
dns-server 10.10.40.202 10.30.40.27
netbios-name-server 10.10.40.202 10.30.40.27
domain-name ***
!
ip dhcp pool mobile
network 10.27.145.0 255.255.255.0
default-router 10.27.145.254
dns-server 10.10.40.202 10.30.40.27
netbios-name-server 10.10.40.202 10.30.40.27
domain-name ***
!
ip dhcp pool training
network 10.27.130.0 255.255.255.0
default-router 10.27.130.254
dns-server 10.30.150.250 10.30.150.251
domain-name ****
!
ip dhcp pool microcell
host 10.27.10.219 255.255.255.0
client-identifier **
default-router 10.27.10.254
netbios-name-server 10.10.40.202 10.30.40.27
dns-server 10.10.40.202 10.30.40.27
!
ip dhcp pool vlan50
network 10.27.50.0 255.255.255.0
default-router 10.27.50.254
dns-server 10.10.40.202 10.30.40.27
netbios-name-server 10.10.40.202 10.30.40.27
domain-name ***
!
ip dhcp pool IOT
network 10.27.120.0 255.255.255.0
default-router 10.27.120.254
dns-server 8.8.8.8 8.8.4.4
!
!
!
no ip bootp server
no ip domain lookup
ip domain name **.net
ip name-server 4.2.2.5
ip name-server 8.8.8.8
ip inspect name FW tcp
ip inspect name FW udp
no ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
license udi pid CISCO891-K9 sn FTX161983V0
!
!
archive
log config
hidekeys
username ** privilege 15 secret 5 
!
redundancy
!
track 4 ip sla 4 reachability
!
track 5 ip sla 5 reachability
!
track 6 list boolean or
object 4
object 5
!
track 10 ip sla 10 reachability
!
track 20 ip sla 20 reachability
!
track 30 ip sla 30 reachability
!
track 40 list boolean or
object 10
object 20
object 30
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key *** address x no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set SECURE esp-3des esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile <profile>
set transform-set SECURE
set pfs group2
!
interface Tunnel5
description Backup Tunnnel to DC
ip address 10.254.10.38 255.255.255.252
ip mtu 1446
ip virtual-reassembly in
ip tcp adjust-mss 1300
tunnel source FastEthernet8
tunnel mode ipsec ipv4
tunnel destination x
tunnel protection ipsec profile <profile>
!
interface Tunnel6
description Primary Tunnel to DC
bandwidth 900000
ip address 10.254.10.42 255.255.255.252
ip virtual-reassembly in
ip tcp adjust-mss 1300
tunnel source GigabitEthernet0
tunnel mode ipsec ipv4
tunnel destination x
tunnel protection ipsec profile <profile>
!
interface FastEthernet0
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface FastEthernet1
description Link to 2960 Stack
switchport mode trunk
no ip address
!
interface FastEthernet2
description Link to 2960 Stack
switchport mode trunk
no ip address
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface FastEthernet4
no ip address
spanning-tree portfast
!
interface FastEthernet5
no ip address
spanning-tree portfast
!
interface FastEthernet6
no ip address
spanning-tree portfast
!
interface FastEthernet7
no ip address
spanning-tree portfast
!
interface FastEthernet8
description backup
ip address <backup IP> 255.255.255.248
ip access-group outside_acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect FW out
ip virtual-reassembly in
ip tcp adjust-mss 1300
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0
description Primary
ip address <primary IP> 255.255.255.240
ip access-group outside_acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect FW out
ip virtual-reassembly in
ip tcp adjust-mss 1300
duplex full
speed auto
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
!
interface Vlan10
description LAN
ip address 10.27.10.254 255.255.255.0
ip helper-address 10.30.50.31
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan20
description Voice
ip address 10.27.20.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
ip tcp adjust-mss 1452
shutdown
!
interface Vlan50
description management
ip address 10.27.50.254 255.255.255.0
ip helper-address 10.30.50.31
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan120
description IOT
ip address 10.27.120.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan140
description Wireless
ip address 10.27.140.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan145
ip address 10.27.145.254 255.255.255.0
!
interface Async1
no ip address
encapsulation slip
!
ip local policy route-map out
ip forward-protocol nd
ip forward-protocol udp 12223
ip forward-protocol udp 5246
ip forward-protocol udp 5247
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map failover-nat interface FastEthernet8 overload
ip nat inside source route-map primary-nat interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 Tunnel6 name primary track 6
ip route x 255.255.255.255 <primary IP> name primary track 40
ip route x 255.255.252.0 <primary IP> name primary track 40
ip route 0.0.0.0 0.0.0.0 Tunnel5 150 name backup
ip route 1.1.1.1 255.255.255.255 <primary IP>
ip route 8.8.4.4 255.255.255.255 <primary IP>
ip route 8.8.4.4 255.255.255.255 Null0 200
ip route x 255.255.252.0 <backup IP>
ip route x 255.255.255.255 <primary IP>
ip route x 255.255.255.255 Null0 200
ip route x 255.255.255.255 <Primary IP>
ip route x 255.255.255.255 Null0 200
ip route x 255.255.255.255 <backup IP> 200 name backup-route
ip ssh version 2
!
ip access-list standard snmp-access
permit 10.161.48.16
permit 10.161.48.65
!
ip access-list extended monitoring
permit ip host 10.27.10.254 host 10.161.48.65
ip access-list extended nat
deny ip 10.27.0.0 0.0.255.255 192.168.77.0 0.0.0.255
deny ip 10.27.0.0 0.0.255.255 130.1.2.0 0.0.0.255
deny ip 10.27.0.0 0.0.255.255 10.0.0.0 0.255.255.255
ip access-list extended out-xo
permit ip host <backup IP> any
ip access-list extended outside_acl
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit tcp host x any eq 22
permit tcp host x any eq telnet
permit icmp host x any
permit tcp x 0.0.0.31 any eq 22
permit tcp x 0.0.0.31 any eq telnet
permit icmp x 0.0.0.31 any
permit udp any any eq bootpc
permit udp any eq ntp any
permit udp host x any eq isakmp
permit esp host x any
permit udp host x any eq non500-isakmp
permit tcp x 0.0.3.255 any eq 22
permit tcp x 0.0.3.255 any eq telnet
permit icmp x 0.0.3.255 any
permit udp host x any eq isakmp
permit esp host x any
permit udp host x any eq non500-isakmp
ip access-list extended <crypto-acl>
permit ip 10.27.0.0 0.0.255.255 any
ip access-list extended untrust-self
ip access-list extended verizon-out
permit ip host <primary IP> any
!
ip sla 4
icmp-echo 10.254.10.41 source-ip 10.254.10.42
frequency 5
ip sla schedule 4 life forever start-time now
ip sla 5
icmp-echo 10.254.10.41 source-ip 10.254.10.42
frequency 12
ip sla schedule 5 life forever start-time now
ip sla 10
icmp-echo x source-interface GigabitEthernet0
frequency 5
ip sla schedule 10 life forever start-time now
ip sla 20
icmp-echo x source-interface GigabitEthernet0
frequency 10
ip sla schedule 20 life forever start-time now
ip sla 30
icmp-echo 8.8.4.4 source-interface GigabitEthernet0
frequency 15
ip sla schedule 30 life forever start-time now
ip sla 104
icmp-echo 130.1.2.19 source-interface Vlan20
frequency 10
ip sla schedule 104 life forever start-time now
ip sla 105
icmp-echo 10.30.200.254 source-interface Vlan10
frequency 10
ip sla schedule 105 life forever start-time now
ip sla 106
icmp-echo 192.168.77.1 source-interface Vlan10
frequency 10
ip sla schedule 106 life forever start-time now
logging trap debugging
logging source-interface Vlan10
logging host 10.30.150.244
!
route-map primary-nat permit 10
match ip address nat
match interface GigabitEthernet0
!
route-map failover-nat permit 10
match ip address nat
match interface FastEthernet8
!
route-map out permit 10
match ip address out-xo
set ip next-hop <backup IP>
!
route-map out permit 15
match ip address verizon-out
set ip next-hop x <primary IP>
!
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
vstack
banner motd ^C
**************************************************
**************************************************
** **
** WARNING! WARNING! WARNING! **
** **
**************************************************
**************************************************

Unauthorized access to this system is strictly prohibited
Unauthorized access will be subject to legal action

If you are not authorized to access this system
D I S C O N N E C T I M M E D I A T E L Y !R
^C
!
line con 0
line vty 0 4
privilege level 15
transport input ssh

Hello,

that looks different indeed..:)

Which traffic do you want to go through the tunnel ? Right now, from what I can tell, the default route goes through tunnel 5, and the backup default route through tunnel 6. 

Thanks for response.

I need only private IPs to go through tunnel 5 and rest of the traffic via Primary ISP interface. 

if the primary interface goes down then there is backup ISP interface. 

Right now, as you can see there is default route for all traffic to tunnel. I want to change this so only private IPs goes via tunnel.

Thanks!

Hello
At present it looks like your locally trying to policy route traffic instead of policy routing traffic through the router (data plane).

Example:
no ip local policy route-map out

int x/x
ip policy route-map out

@paul driver 

Thanks for your reply. I am not sure I understand what you are saying. 

How do I route traffic such that private IPs go via tunnel and the rest of the traffic through the outside interface ? Thank you.

The current config has default routes that send all traffic through the primary tunnel or through the backup tunnel.

ip route 0.0.0.0 0.0.0.0 Tunnel6 name primary track 6

ip route 0.0.0.0 0.0.0.0 Tunnel5 150 name backup

You need to remove these default routes and replace them with a default route with the ISP router as the next hop.

I see that you have configured for local policy based routing. You might want to keep this. But this will only process traffic that is originated by the router itself. You will need to configure PBR on the interfaces where the traffic comes into the router.

I believe that there is an issue with the configuration of PBR

route-map out permit 10
match ip address out-xo
set ip next-hop <backup IP>
!
route-map out permit 15
match ip address verizon-out
set ip next-hop x <primary IP>

with these access lists

ip access-list extended out-xo
permit ip host <backup IP> any

ip access-list extended verizon-out
permit ip host <primary IP> any

Using the backup IP and primary IP might work for local PBR but to send user traffic through the tunnel you need to specify the private IP subnets as the source. And you might not want to permit the destination as any. If you do that any traffic arriving with a private IP source address will be sent through the tunnel. Is it possible that some of that user traffic might be for some local destination?