Dual Hub FlexVPN Error Tidbit

Sharing an issue that took me some time to troubleshoot & figure out in my dual hub single cloud FlexVPN lab/post (see here: Configuring & Verifying FlexVPN Redundancy with Dual Hub & Single Cloud).

So, I had configured two cert maps on the secondary hub, which ended up causing neither client to establish an SA & come UP when forcing failover to the respective secondary hub. The second cert map was configured/deployed to map CSR1 (primary hub) to a different IKEv2 profile that was used in another lab setup to utilize an SVTI to establish a tunnel between the two hubs. Here are the issues I faced while troubleshooting dual hub failover:

Debugging ikev2 packet & ipsec kept spitting out these errors:

IPsec debug:

IKEv2 packet debug:

The following 'no proposal chosen' indicates there is a mismatch of proposals during negotiations. I think IPSec was by default assuming it would use the local address on which it received the IKE proposal (don't quote me). Clearly the wrong IKE profile was matched during IKE_AUTH process, which created an issue since there was no virtual-template assigned to deploy a DVTI so we could finish the process of establishing a tunnel.

Here is the misconfigured cert map on CSR12 (secondary hub):

The configured map was for any ID containing csr1, which is every device in the topology. That map above did not map to the correct IKEv2 profile I needed to engage. Here are the two different IKEv2 profiles used for different purposes that created this rabbit hole:

Tweaking the HUB cert map to the following fixed all issues & I was able to successfully move forward with testing redundancy:

To see a successful deployment & failover of a FlexVPN dual hub & single cloud see: <>. Cheers!


Recent Posts

See All

HTTP Methods & Status Codes Tidbit

In this tidbit I want to touch on different types of HTTP Methods & the types of HTTP status codes you may encounter when consuming APIs in regard to automation. HTTP Methods: GET = get user info PATC

FMC & FTD Communication/Registration Tidbit

In this tidbit I want to cover the basics in regard to FTD & FMC registration. I also intend on covering how the two communicate with each other as this can be helpful when having registration issues

ASA MultiContext Mode Packet Classification Tidbit

In order to understand how traffic flows through the segregated contexts it is important to understand how the ASA determines the context in which it will send the packets. This process is known as c