The customer has 2 hubs (USG6350) running HRP load balanced mode, which is working well.
He has configured DSVPN (dual HUB) on the USG’s and he has an AR169 acting as a spoke.
Everything works perfectly until he adds IPSec encryption to the tunnels. The customer is using the local IP addresses of G1/0/0 for the Hubs and the Dialer IP interface of the spoke.
When he adds encryption the AR can only connect to only hub (master), bet he cannot connect to the second hub (slave).
If he reboots the master, the slave becomes the new master and ospf forms fine and the tunnel is encrypted.
If he removes encryption from all tunnels (HUB 1, HUB 2 and SPOKE 1) DSVPN works perfectly, the spoke registers with both hubs in NHRP and OSPF neighbours establish fine, this issue relates to encryption.
Below you can see the topology:
1. We’ve started to check the configuration on the USG and AR and the customer was using hot-standby with active-standby mode. The IPSec parameters were ok so we requested to collect debugging information for the IPSec.
2. We have checked the debugging and we saw that when the spoke (AR) send the negotiation packets to standby USG, this device will drop them.
After checking this behavior, we suggested the customer to delete the ipsec configuration of the tunnel interface, and then add the configuration using the keyword “alone” on the USG6300:
The keyword “alone” indicates that the tunnel is not backed up.
In this situation, please delete the IPSec configuration and add it using the keyword “alone”.