Sharing an issue that took me some time to troubleshoot & figure out in my dual hub single cloud FlexVPN lab/post (see here: Configuring & Verifying FlexVPN Redundancy with Dual Hub & Single Cloud).
So, I had configured two cert maps on the secondary hub, which ended up causing neither client to establish an SA & come UP when forcing failover to the respective secondary hub. The second cert map was configured/deployed to map CSR1 (primary hub) to a different IKEv2 profile that was used in another lab setup to utilize an SVTI to establish a tunnel between the two hubs. Here are the issues I faced while troubleshooting dual hub failover:
Debugging ikev2 packet & ipsec kept spitting out these errors:
IKEv2 packet debug:
The following 'no proposal chosen' indicates there is a mismatch of proposals during negotiations. I think IPSec was by default assuming it would use the local address on which it received the IKE proposal (don't quote me). Clearly the wrong IKE profile was matched during IKE_AUTH process, which created an issue since there was no virtual-template assigned to deploy a DVTI so we could finish the process of establishing a tunnel.
Here is the misconfigured cert map on CSR12 (secondary hub):
The configured map was for any ID containing csr1, which is every device in the topology. That map above did not map to the correct IKEv2 profile I needed to engage. Here are the two different IKEv2 profiles used for different purposes that created this rabbit hole:
Tweaking the HUB cert map to the following fixed all issues & I was able to successfully move forward with testing redundancy:
To see a successful deployment & failover of a FlexVPN dual hub & single cloud see: <>. Cheers!