ADVPN

ADVPN Dual Hub Configuration

Hub

config vpn ipsec phase1-interface
  edit "T_NET_0"
    set net-device disable
    set auto-discovery-sender enable
  next
end

Spoke

config vpn ipsec phase1-interface
  edit "T_INET_0"
    set net-device enable
    set auto-discovery-receiver enable
  next
end
config system interface
  edit "T_INET_0"
    set allowaccess ping
  next
end

Overlay Stickiness and ADVPN

• Prefer shortcut negotiation over same ISP overlays to prevent shortcut negotiation over unreachable underlays, e.g. internet and MPLS

Fine-Tuning ADVPN Deployment

Timing Out Idle Shortcuts

• By default, shortcuts inherit lifetime settings of parents

• Set an idle timer to shortcuts to save resource, health check traffic doesn't count

Making Shortcuts lifetime dependents of parents

• Bring down shortcuts immediately after parent goes down, default = independent

Allowing Multiple shortcuts over same pair of gateways

• Assign different network IDs to overlays to allow multiple overlapping shortcuts

• Supported by IKE2 only

Delaying Failback to Recovered Shortcut

• Delay use of recovered members, including shortcuts

• Wait until hold-down-time has passed

  • more accurate monitoring

  • prevent impact to:

    • Sensitive applications during brownout conditions and SLA changes

    • CPU usage caused by session re-evaluation

• Highly recommended for SDWAN + ADVPN + lowest cost (SLA) rules deployments

• SDWAN rule status: diagnose sys sdwan service 1

Troubleshooting

Shortcut path debug

• diagnose debug console timestamp enable

• diagnose vpn ike log filter clear

• diagnose vpn ike log filter mdst-addr4 <ip.of.hub> <ip.of.spoke>

• diagnose debug application ike -1

• diagnose debug enable