No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


DUAL HUB IPSec Encrypted DSVPN issue

Publication Date:  2018-03-16 Views:  545 Downloads:  0

Issue Description

The customer has 2 hubs (USG6350) running HRP load balanced mode, which  is working well.


He has configured DSVPN (dual HUB) on the USG’s and he has an AR169 acting as a spoke.

Everything works perfectly until he adds IPSec encryption to the tunnels. The customer is using the local IP addresses of G1/0/0 for the Hubs and the Dialer IP interface of the spoke.


When he adds encryption the AR can only connect to only hub (master), bet he cannot connect to the second hub (slave).

If he reboots the master, the slave becomes the new master and ospf forms fine and the tunnel is encrypted.


If he removes encryption from all tunnels (HUB 1, HUB 2 and SPOKE 1) DSVPN works perfectly, the spoke registers with both hubs in NHRP and OSPF neighbours establish fine, this issue relates to encryption.

Below you can see the topology:

Handling Process

1. We’ve started to check the configuration on the USG and AR and the customer was using hot-standby with active-standby mode. The IPSec parameters were ok so we requested to collect debugging information for the IPSec.

2. We have checked the debugging  and we saw that when the spoke (AR) send the negotiation packets to standby USG, this device will drop them.

After checking this behavior, we suggested the customer to delete the ipsec configuration of the tunnel interface, and then add the configuration using the keyword “alone” on the USG6300:

 The keyword “alone” indicates that the tunnel is not backed up.


In this situation, please delete the IPSec configuration and add it using the keyword “alone”.