Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
1
Helpful
3
Replies

FlexVPN tunnel source switchover

Go to solution
valirashad85
Level 1
Level 1

‎04-18-2025 11:37 AM

spoke has dual ISP so i need second ISP interface as backup.i am new at flexvpn so maybe i missing something in configuration.


Current configuration : 4242 bytes
!
! Last configuration change at 18:24:57 UTC Fri Apr 18 2025
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Spoke
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authorization network FLEX_NETWORK local
aaa authorization network FLEX_NETWORK2 local
aaa authorization network FLEX_NETWORK3 local
aaa authorization network FLEX_NETWORK4 local
!
!
!
!
!
aaa session-id common
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!


!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
track 10 ip sla 10 reachability
delay down 10 up 10
!
track 20 list boolean and
object 10 not
!
!
!
crypto ikev2 authorization policy FLEX_AUTHOR
route set interface
!
crypto ikev2 authorization policy FLEX_AUTHOR2
route set interface
!
crypto ikev2 authorization policy FLEX_AUTHOR3
pool SPOKES
route set interface
!
crypto ikev2 authorization policy FLEX_AUTHOR4
pool SPOKES2
route set interface
!
!
!
crypto ikev2 keyring AMS_KEYRING
peer Hub1
address 94.20.65.204
pre-shared-key AMSKEY
!
!
crypto ikev2 keyring AMS_KEYRING2
peer FLEX_SPOKES2
address 0.0.0.0 0.0.0.0
pre-shared-key AMSKEY
!
!
!
crypto ikev2 profile AMS_PRO
match identity remote address 94.20.65.204 255.255.255.255
match identity remote key-id 1
identity local key-id 1
authentication remote pre-share
authentication local pre-share
keyring local AMS_KEYRING
aaa authorization group psk list FLEX_NETWORK FLEX_AUTHOR
virtual-template 1
!
crypto ikev2 profile AMS_PRO2
match identity remote address 134.1.1.100 255.255.255.255
match identity remote key-id 2
identity local key-id 2
authentication remote pre-share
authentication local pre-share
keyring local AMS_KEYRING
aaa authorization group psk list FLEX_NETWORK2 FLEX_AUTHOR2
virtual-template 2
!
crypto ikev2 profile AMS_PRO3
match identity remote address 0.0.0.0
match identity remote key-id 3
identity local key-id 3
authentication remote pre-share
authentication local pre-share
keyring local AMS_KEYRING
aaa authorization group psk list FLEX_NETWORK3 FLEX_AUTHOR3
virtual-template 3
!
crypto ikev2 profile AMS_PRO4
match identity remote address 0.0.0.0
match identity remote key-id 4
identity local key-id 4
authentication remote pre-share
authentication local pre-share
keyring local AMS_KEYRING
aaa authorization group psk list FLEX_NETWORK4 FLEX_AUTHOR4
virtual-template 4
!
crypto ikev2 client flexvpn TUNNEL
peer 1 94.20.65.204
source 1 Ethernet0/0 track 10
source 2 Ethernet0/1 track 20
client connect Tunnel0
!
!
!
!
crypto ipsec profile IPSEC_PRO
set ikev2-profile AMS_PRO
!
crypto ipsec profile IPSEC_PRO2
set ikev2-profile AMS_PRO2
!
crypto ipsec profile IPSEC_PRO3
set ikev2-profile AMS_PRO3
!
crypto ipsec profile IPSEC_PRO4
set ikev2-profile AMS_PRO4
!
!
!
!
!
!
!
interface Tunnel0
ip address negotiated
ip nhrp network-id 1
tunnel source dynamic
tunnel destination 94.20.65.204
tunnel protection ipsec profile IPSEC_PRO
!
interface Tunnel1
ip address negotiated
ip nhrp network-id 2
tunnel source Ethernet0/0
tunnel destination 134.1.1.100
tunnel protection ipsec profile IPSEC_PRO2
!
interface Tunnel2
ip address negotiated
ip nhrp network-id 3
tunnel source Ethernet0/0
tunnel destination 85.132.69.100
tunnel protection ipsec profile IPSEC_PRO3
!
interface Tunnel3
ip address negotiated
ip nhrp network-id 4
tunnel source Ethernet0/0
tunnel destination 135.1.1.100
tunnel protection ipsec profile IPSEC_PRO4
!
interface Ethernet0/0
ip address 46.32.1.100 255.255.255.0
!
interface Ethernet0/1
ip address 5.5.5.5 255.255.255.0
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 46.32.1.1 track 10
ip route 0.0.0.0 0.0.0.0 5.5.5.1 20
!
ip sla 10
icmp-echo 8.8.8.8 source-interface Ethernet0/0
frequency 120
ip sla schedule 10 life forever start-time now
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
transport input none
!
!
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
valirashad85
Level 1
Level 1

‎04-23-2025 09:15 PM

The problem was with my config actually.Because FlexVPN client always reqires you to use tunnel destination dynamic command even if you gonna use just tunnel source swithover.

So changing config on tunnels from tunnel destination 94.20.65.204 to tunneld estination dynamic solved problem.

View solution in original post

3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎04-18-2025 11:52 AM

Screenshot (255).png

0 Helpful

Go to solution
valirashad85
Level 1
Level 1
In response to MHM Cisco World

‎04-21-2025 03:15 AM

interface Tunnel0
tunnel source dynamic

crypto ikev2 client flexvpn TUNNEL
peer 1 94.20.65.204
source 1 Ethernet0/0 track 10
source 2 Ethernet0/1 track 20   (cisco says cannot be used without track)
client connect Tunnel0

 

 

still not working.if i manually switch then sources then it gonna work but need to config auto backup to keep tunnel up always

 

0 Helpful

Go to solution
valirashad85
Level 1
Level 1

‎04-23-2025 09:15 PM

The problem was with my config actually.Because FlexVPN client always reqires you to use tunnel destination dynamic command even if you gonna use just tunnel source swithover.

So changing config on tunnels from tunnel destination 94.20.65.204 to tunneld estination dynamic solved problem.

Customers Also Viewed These Support Documents