FlexVPN Hub and Spoke

alanhab2013 · October 3, 2023, 4:28pm

Hello can FlexVPN implemented on Cat 9500 and 9300 switches pls ?

lagapidis · October 5, 2023, 5:37am

Hello Hab

FlexVPN is a feature that is available only on Cisco routers. You can see more info about compatibility and platform support of FlexVPN in the following documentation:

So, unfortunately, the 9500 and 9300 do not support FlexVPN, because these devices are primarily designed for campus and data center switching, rather than being VPN concentrators.

I hope this has been helpful!

Laz

athornfam2 · January 6, 2024, 3:35pm

I followed the outline but I’m getting a few errors.

001609: *Jan  6 03:26:24.389: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel1 - looped chain attempting to stack
001610: *Jan  6 03:26:26.037: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
001611: *Jan  6 03:26:26.037: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
001612: *Jan  6 03:26:26.289: IKEv2:(SA ID = 1):Retransmitting packet

001613: *Jan  6 03:26:26.289: IKEv2:(SA ID = 1):Sending Packet [To 98.xx.xx.xx:4500/From 192.168.1.190:4500/VRF i0:f0]
Initiator SPI : 06D974DD25B1A0DF - Responder SPI : 0FEBD183B05898BB Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
 ENCR

001614: *Jan  6 03:26:26.297: IKEv2:Detected an invalid IKE SPI

001615: *Jan  6 03:26:26.297: IKEv2:Couldn't find matching SA

001616: *Jan  6 03:26:26.297: IKEv2:(SA ID = 0):Received Packet [From 98.xx.xx.xx:4500/To 192.168.1.190:4500/VRF i0:f0]
Initiator SPI : ABCEA0BC8F907150 - Responder SPI : 037F1AFB09699BCE Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
001617: *Jan  6 03:26:26.297: IKEv2:A supplied parameter is incorrect

001618: *Jan  6 03:26:26.297: IKEv2:
001619: *Jan  6 03:26:30.157: IKEv2:Detected an invalid IKE SPI

001620: *Jan  6 03:26:30.157: IKEv2:Couldn't find matching SA

001621: *Jan  6 03:26:30.157: IKEv2:(SA ID = 0):Received Packet [From 98.xx.xx.xx.xx:4500/To 192.168.1.190:4500/VRF i0:f0]
Initiator SPI : ABCEA0BC8F907150 - Responder SPI : 037F1AFB09699BCE Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
001622: *Jan  6 03:26:30.157: IKEv2:A supplied parameter is incorrect

lagapidis · January 9, 2024, 6:46am

Hello Matthew

The error messages you’re encountering while configuring FlexVPN on Cisco devices indicate several issues that need to be addressed:

The first one has to do with Recursive Routing Issues. The messages %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing and %ADJ-5-PARENT: Midchain parent maintenance... suggest a recursive routing problem. This typically happens when the route to the tunnel destination is learned through the tunnel itself, causing a loop.

Secondly, it seems that you have IKEv2 Errors. The repeated IKEv2 errors (Detected an invalid IKE SPI, Couldn't find matching SA, A supplied parameter is incorrect) point to issues with the IKEv2 Security Association (SA) negotiation. This could be due to a mismatch in the IKEv2 policy parameters (encryption, hash, authentication, etc.) between the FlexVPN peers.

Without knowing more about your configuration, I can make some suggestions and give you some guidelines as to how you can proceed in your troubleshooting:

Check Routing Configuration: Ensure that the routes to the tunnel endpoints are not learned through the tunnel itself. You might need to define specific static routes or adjust your dynamic routing protocol configuration to prevent recursive routing.
Verify IKEv2 Configuration:
- Check the IKEv2 policies on both ends of the VPN to ensure they match exactly in terms of encryption algorithms, hash algorithms, and other parameters.
- Ensure that the correct keyring and profiles are being used and that the endpoint addresses in the IKEv2 profiles are correctly configured.
- The IKEv2:A supplied parameter is incorrect error suggests that there might be a misconfiguration in one of the IKEv2 parameters. Double-check all the parameters carefully.
Review Tunnel Configuration: Verify the tunnel interface settings, including source and destination addresses, and ensure they are correctly configured.

Looking at these configuration parameters you should be able to determine the problem in your topology. Let us know how you get along and if you need any further assistance.

I hope this has been helpful!

Laz