Dual Hub FlexVPN Error Tidbit

Sharing an issue that took me some time to troubleshoot & figure out in my dual hub single cloud FlexVPN lab/post (see here: Configuring & Verifying FlexVPN Redundancy with Dual Hub & Single Cloud).


So, I had configured two cert maps on the secondary hub, which ended up causing neither client to establish an SA & come UP when forcing failover to the respective secondary hub. The second cert map was configured/deployed to map CSR1 (primary hub) to a different IKEv2 profile that was used in another lab setup to utilize an SVTI to establish a tunnel between the two hubs. Here are the issues I faced while troubleshooting dual hub failover:


Debugging ikev2 packet & ipsec kept spitting out these errors:

IPsec debug:

IKEv2 packet debug:

The following 'no proposal chosen' indicates there is a mismatch of proposals during negotiations. I think IPSec was by default assuming it would use the local address on which it received the IKE proposal (don't quote me). Clearly the wrong IKE profile was matched during IKE_AUTH process, which created an issue since there was no virtual-template assigned to deploy a DVTI so we could finish the process of establishing a tunnel.


Here is the misconfigured cert map on CSR12 (secondary hub):

The configured map was for any ID containing csr1, which is every device in the topology. That map above did not map to the correct IKEv2 profile I needed to engage. Here are the two different IKEv2 profiles used for different purposes that created this rabbit hole:

Tweaking the HUB cert map to the following fixed all issues & I was able to successfully move forward with testing redundancy:

To see a successful deployment & failover of a FlexVPN dual hub & single cloud see: <>. Cheers!

0 comments

Recent Posts

See All

ASA Security Contexts Tidbit

In this tidbit I want to explain what Cisco ASA Security Contexts are in this blog. A very plain & simple way to put it, security contexts are a way to logically divide the ASA into multiple logical

Fundamentals of PKI Tidbit

I want to touch on some of the fundamentals and standards involved with PKI to give us an overview of what things are/mean. To start let's cover what the standards are. So you have probably seen or

BGP Peer Groups Tidbit

I want to touch on BGP peer groups in this tidbit to explain what they are & why they are important. Peer groups in BGP can greatly simplify configuration when BGP neighbors share a lot of the same ou

#learnITwithCifelli

© 2023 by Train of Thoughts. Proudly created with Wix.com