Questo sito utilizza cookie di profilazione (propri e di terze parti) per ottimizzare la tua esperienza online e per inviarti pubblicità in linea con le tue preferenze. Continuando a utilizzare questo sito senza modificare le tue preferenze acconsenti all’uso dei cookie. Se vuoi saperne di più o negare il consenso a tutti o ad alcuni cookie clicca qui>
The website that you are visiting also provides Arabian language. Do you wish to switch language version?
يوفر موقع الويب الذي تزوره المحتوى باللغة العربية أيضًا. هل ترغب في تبديل إصدار اللغة؟
The website that you are visiting also provides Russia language Do you wish to switch language version?
Данный сайт есть в английской версии. Желаете ли Вы перейти на английскую версию?
The customer has 2 hubs (USG6350) running HRP load balanced mode, which is working well.
He has configured DSVPN (dual HUB) on the USG’s and he has an AR169 acting as a spoke.
Everything works perfectly until he adds IPSec encryption to the tunnels. The customer is using the local IP addresses of G1/0/0 for the Hubs and the Dialer IP interface of the spoke.
When he adds encryption the AR can only connect to only hub (master), bet he cannot connect to the second hub (slave).
If he reboots the master, the slave becomes the new master and ospf forms fine and the tunnel is encrypted.
If he removes encryption from all tunnels (HUB 1, HUB 2 and SPOKE 1) DSVPN works perfectly, the spoke registers with both hubs in NHRP and OSPF neighbours establish fine, this issue relates to encryption.
Below you can see the topology:
1. We’ve started to check the configuration on the USG and AR and the customer was using hot-standby with active-standby mode. The IPSec parameters were ok so we requested to collect debugging information for the IPSec.
2. We have checked the debugging and we saw that when the spoke (AR) send the negotiation packets to standby USG, this device will drop them.
After checking this behavior, we suggested the customer to delete the ipsec configuration of the tunnel interface, and then add the configuration using the keyword “alone” on the USG6300:
The keyword “alone” indicates that the tunnel is not backed up.
In this situation, please delete the IPSec configuration and add it using the keyword “alone”.