Ctrlk

ADVPN

ADVPN Dual Hub Configuration

Hub

config vpn ipsec phase1-interface
  edit "T_NET_0"
    set net-device disable
    set auto-discovery-sender enable
  next
end

Spoke

config vpn ipsec phase1-interface
  edit "T_INET_0"
    set net-device enable
    set auto-discovery-receiver enable
  next
end
config system interface
  edit "T_INET_0"
    set allowaccess ping
  next
end

Overlay Stickiness and ADVPN

Prefer shortcut negotiation over same ISP overlays to prevent shortcut negotiation over unreachable underlays, e.g. internet and MPLS

Fine-Tuning ADVPN Deployment

Timing Out Idle Shortcuts

By default, shortcuts inherit lifetime settings of parents
Set an idle timer to shortcuts to save resource, health check traffic doesn't count

Making Shortcuts lifetime dependents of parents

Bring down shortcuts immediately after parent goes down, default = independent

Allowing Multiple shortcuts over same pair of gateways

Assign different network IDs to overlays to allow multiple overlapping shortcuts
Supported by IKE2 only

Delaying Failback to Recovered Shortcut

Delay use of recovered members, including shortcuts
Wait until hold-down-time has passed
- more accurate monitoring
- prevent impact to:
  - Sensitive applications during brownout conditions and SLA changes
  - CPU usage caused by session re-evaluation
Highly recommended for SDWAN + ADVPN + lowest cost (SLA) rules deployments
SDWAN rule status: diagnose sys sdwan service 1

Troubleshooting

Shortcut path debug

diagnose debug console timestamp enable
diagnose vpn ike log filter clear
diagnose vpn ike log filter mdst-addr4 <ip.of.hub> <ip.of.spoke>
diagnose debug application ike -1
diagnose debug enable

PreviousSDWAN NextPerformance SLA

Last updated 2 years ago

config vpn ipsec phase1-interface
  edit "advpn1"
    set ike-version 2
    set network-overlay enable
    set network-id 1
  next
  edit "advpn2"
    set ike-version 2
    set network-overlay enable
    set network-id 2
  next
end