has 2 hubs (USG6350) running HRP load balanced mode, which is working well.
He has configured
DSVPN (dual HUB) on the USG’s and he has an AR169 acting as a spoke.
works perfectly until he adds IPSec encryption to the tunnels. The customer is using the local IP addresses of G1/0/0 for the Hubs and the Dialer IP interface of the spoke.
adds encryption the AR can only connect to only hub (master), bet he cannot
connect to the second hub (slave).
reboots the master, the slave becomes the new master and ospf forms fine and
the tunnel is encrypted.
If he removes
encryption from all tunnels (HUB 1, HUB 2 and SPOKE 1) DSVPN works
perfectly, the spoke registers with both hubs in NHRP and OSPF neighbours
establish fine, this issue relates to encryption.
can see the topology:
1. We’ve started to check the configuration on the USG and
AR and the customer was using hot-standby with active-standby mode. The IPSec
parameters were ok so we requested to collect debugging information for the IPSec.
2. We have checked the debugging and we saw that when the spoke (AR) send the
negotiation packets to standby USG, this device will drop them.
After checking this behavior, we suggested the customer to delete
the ipsec configuration of the tunnel interface, and then add the configuration
using the keyword “alone” on the USG6300:
The keyword “alone” indicates that the tunnel
is not backed up.
In this situation,
please delete the IPSec configuration and add it using the keyword “alone”.