Dual Hub FlexVPN Error Tidbit

Sharing an issue that took me some time to troubleshoot & figure out in my dual hub single cloud FlexVPN lab/post (see here: Configuring & Verifying FlexVPN Redundancy with Dual Hub & Single Cloud).

So, I had configured two cert maps on the secondary hub, which ended up causing neither client to establish an SA & come UP when forcing failover to the respective secondary hub. The second cert map was configured/deployed to map CSR1 (primary hub) to a different IKEv2 profile that was used in another lab setup to utilize an SVTI to establish a tunnel between the two hubs. Here are the issues I faced while troubleshooting dual hub failover:

Debugging ikev2 packet & ipsec kept spitting out these errors:

IPsec debug:

IKEv2 packet debug:

The following 'no proposal chosen' indicates there is a mismatch of proposals during negotiations. I think IPSec was by default assuming it would use the local address on which it received the IKE proposal (don't quote me). Clearly the wrong IKE profile was matched during IKE_AUTH process, which created an issue since there was no virtual-template assigned to deploy a DVTI so we could finish the process of establishing a tunnel.

Here is the misconfigured cert map on CSR12 (secondary hub):

The configured map was for any ID containing csr1, which is every device in the topology. That map above did not map to the correct IKEv2 profile I needed to engage. Here are the two different IKEv2 profiles used for different purposes that created this rabbit hole:

Tweaking the HUB cert map to the following fixed all issues & I was able to successfully move forward with testing redundancy:

To see a successful deployment & failover of a FlexVPN dual hub & single cloud see: <>. Cheers!


Recent Posts

See All

Email Security - S/MIME Tidbit

So it has definitely been a minute since I produced a tidbit. Lately I have been investing personal time into email security. The topics that I have covered thus far are in no particular order, but

November 21 Update Tidbit

Sharing some quick personal news as well as an update with where my head is currently at. I recently invested most of my time with VPNs the last couple of months. So I finally decided to take a stab

Personal Tidbit - Oct 2021

Sharing some exciting news. I recently participated in a Cisco Championship Content competition, & actually claimed first place! Pretty excited to receive the news since I frequently spend time on Ci