T1 Leased Line VPN Failover

I have been trying to get this scenario working but have been having issues getting the link to failover correctly. I have a dedicated t1 circuit between my HQ site and Remote Site. I would like to use SpeedFusion VPN as backup. The problem is that when the t1 link fails the traffic is not being routed over the VPN. I have a cisco router feeding the WAN1 port of the Peplink and WAN2 is a DSL configured for SpeedFusion. I have the outbound policy configured for Priority WAN1 then VPN. And there is no NAT in use.

  1. Balance 580 is located at HQ? If so, there are 2 gateways in HQ that allowed client to access remote site? How you route the traffic from HQ to remote site?

  2. Please provide the screenshot of the health check settings for WAN 1 - Arten T1.

  3. I noticed the naming for WAN1 is different between WAN interface and Outbound Policy. Hence, I can’t comment further. Can you double check on this?

  • WAN interface - WAN 1 - Arten T1
  • Outbound Policy - WAN 1 - Arten DSL, WAN 2 - Arten T1

The Balance 580 is located at HQ, when the serial connection is down then routing to the VPN conneciton is done via static route to the 580 ip.
The visio drawing is incorrect for this site, WAN 1 is the DSL LIne and WAN 2 is the T1, I was going to rename them to match the drawing but did not.

When I shutdown the T1 from the HQ router I see the link as down in the logs of the 310 at the remote site.

If I do a trace route from HQ to Remote site I get routed to the HQ 580 ip but no further.

Please find the network diagram below. I suggest implementing SpeedFusion Hot Failover with T1 priority 1 and DSL priority 2. This will achieve your requirement.

is there any way to not include the private t1 within speed fusion? Would configuring the branch for drop in mode work?

In fact, the suggested design will be sorted out all the routing issue between these 2 locations.

If this is not your option, please help to provide info below for further checking.

  1. What is the firmware version of Balance 310?

  2. WAN1 and WAN2 of Balance 310 are active WANs?

  3. Health Check targets ( and for WAN1 of Balance 310 are DNS server located at HQ’s LAN?

  4. Have you enabled Expert Mode on Balance 310 (Network > Outbound Policy > “?” of Rules > turn on Expert Mode)? Please provide screenshot of your Outbound Policy.

  5. Is traffic routable between HQ and Remote Site via T1 WAN in the normal situation?

  6. What is the firmware version of Balance 580?

  7. What is the Health Check target for Balance 580 WAN? WAN1 public IP of Balance 310?

  8. Since there are 2 gateways in HQ for accessing Remote Site, may I know the routing from HQ to Remote Site is automated or configure manually when TI link is down? If automated, are you using IP SLA (assume you are using cisco router) to monitor the T1 connection status?

If info above is sensitive, please open ticket for us to take closer look.

Thank you.

See updates in bold above.

Based on the provided info, failover should work. Please open ticket for us to do further checking on other settings.

Thank you.

I did a bit more testing and found that when I Disable the T1 and do a trace route the the remote site traffic is routed the the HQ 580. (IP then routed back to the Cisco HQ Router (

It looks like the HQ Router is not routing to the remote site but sending the traffic back to the cisco.

Thanks for the additional info. This is the reason I requested to open ticket for further checking. We need to check the settings on Balance 580 and Balance 310. Else please consider the suggestion here.

Thank you.