Spokes can't ping each other in DVTI VPN setup

samy.ccnp · ‎12-28-2016

Hello All,

Hope you all are doing good !

I need your support to fix following issue which i;m facing right now in my lab using DVTI configuration.

Note:- This all setup in GNS3.

Note:- All the routers are running Version 15.2(4)S1 .

Issue:- I can't reach any of the spokes interfaces from any of the other spokes while can ping every spokes from HUB itself also from every of the spokes can ping across HUB subnet .

Tried to ping and trace spoke R3 interface from spoke R2 :-

R2#ping 10.3.3.3 source 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
.....
Success rate is 0 percent (0/5)

R2#traceroute 10.3.3.3 source 10.2.2.2
Type escape sequence to abort.
Tracing the route to 10.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 1.1.1.1 44 msec 44 msec 48 msec
2 * * *
3 * * *
4

Treid ping from spoken R2 to HUB:-

R2#ping 10.1.1.1 source 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/50/132 ms

If i see the config part it seems perfect also i tried to check tunnel status it's also seems up and active on all the spokes and HUB.

Also on top of this i'm running EIGRP and it's up and running (neighbour are up and exchanging routes ) perfectly as can see the routes on all the spokes and HUB.

I verified the configuration again and it seems perfect however would like to know your further views on this so herewith attaching my design and configuration .

Here is the imp output from HUB and spoke R2 and R3 + their running config

HUB:-

HUB#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 15.0.0.1 YES NVRAM up up
Loopback1 1.1.1.1 YES NVRAM up up
Loopback10 10.1.1.1 YES NVRAM up up
Virtual-Access1 1.1.1.1 YES unset up up
Virtual-Access2 1.1.1.1 YES unset up up
Virtual-Access3 1.1.1.1 YES unset up up
Virtual-Template1 1.1.1.1 YES unset up down

HUB#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
15.0.0.1 35.0.0.3 QM_IDLE 1005 ACTIVE
15.0.0.1 25.0.0.2 QM_IDLE 1004 ACTIVE
15.0.0.1 45.0.0.4 QM_IDLE 1006 ACTIVE

IPv6 Crypto ISAKMP SA

HUB#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
7 IPsec AES+MD5 0 294 294 15.0.0.1
8 IPsec AES+MD5 289 0 0 15.0.0.1
9 IPsec AES+MD5 0 281 281 15.0.0.1
10 IPsec AES+MD5 278 0 0 15.0.0.1
11 IPsec AES+MD5 0 267 267 15.0.0.1
12 IPsec AES+MD5 268 0 0 15.0.0.1
1004 IKE SHA+AES192 0 0 0 15.0.0.1
1005 IKE SHA+AES192 0 0 0 15.0.0.1
1006 IKE SHA+AES192 0 0 0 15.0.0.1

HUB#sh ip route eig
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 15.0.0.2 to network 0.0.0.0

2.0.0.0/32 is subnetted, 1 subnets
D 2.2.2.2 [90/1433600] via 2.2.2.2, 00:21:42, Virtual-Access1
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/1433600] via 3.3.3.3, 00:21:01, Virtual-Access2
4.0.0.0/32 is subnetted, 1 subnets
D 4.4.4.4 [90/1433600] via 4.4.4.4, 00:20:28, Virtual-Access3
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D 10.2.2.0/24 [90/1433600] via 2.2.2.2, 00:21:42, Virtual-Access1
D 10.3.3.0/24 [90/1433600] via 3.3.3.3, 00:21:01, Virtual-Access2
D 10.4.4.0/24 [90/1433600] via 4.4.4.4, 00:20:28, Virtual-Access3

Running config from HUB:-

HUB#
HUB#sh run
Building configuration...

Current configuration : 1586 bytes
!
! Last configuration change at 19:18:50 UTC Wed Dec 28 2016
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname HUB
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
crypto keyring OUR-PSK
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 1
encr aes 192
authentication pre-share
group 5
crypto isakmp profile OUR-IKE-PROFILE
keyring OUR-PSK
match identity address 0.0.0.0
virtual-template 1
!
!
crypto ipsec transform-set OUR-SET esp-aes esp-md5-hmac
mode tunnel
!
crypto ipsec profile OUR-PROFILE
set transform-set OUR-SET
!
!
!
!
!
!
!
interface Loopback1
ip address 1.1.1.1 255.255.255.255
!
interface Loopback10
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 15.0.0.1 255.255.255.252
duplex full
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile OUR-PROFILE
!
!
router eigrp 100
network 1.0.0.0
network 10.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 15.0.0.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

HUB#

**********************************************************

Sopke 2

R2#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 25.0.0.2 YES NVRAM up up
Loopback1 2.2.2.2 YES NVRAM up up
Loopback10 10.2.2.2 YES NVRAM up up
Tunnel1 2.2.2.2 YES TFTP up up

R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
15.0.0.1 25.0.0.2 QM_IDLE 1002 ACTIVE

IPv6 Crypto ISAKMP SA

R2#sh crypto engine connections active
Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
3 IPsec AES+MD5 0 322 322 25.0.0.2
4 IPsec AES+MD5 326 0 0 25.0.0.2
1002 IKE SHA+AES192 0 0 0 25.0.0.2

R2#sh ip route eig
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 25.0.0.1 to network 0.0.0.0

1.0.0.0/32 is subnetted, 1 subnets
D 1.1.1.1 [90/27008000] via 1.1.1.1, 00:23:49, Tunnel1
3.0.0.0/32 is subnetted, 1 subnets
D 3.3.3.3 [90/28288000] via 1.1.1.1, 00:23:08, Tunnel1
4.0.0.0/32 is subnetted, 1 subnets
D 4.4.4.4 [90/28288000] via 1.1.1.1, 00:22:35, Tunnel1
10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
D 10.1.1.0/24 [90/27008000] via 1.1.1.1, 00:23:49, Tunnel1
D 10.3.3.0/24 [90/28288000] via 1.1.1.1, 00:23:08, Tunnel1
D 10.4.4.0/24 [90/28288000] via 1.1.1.1, 00:22:35, Tunnel1

Running config of Spoke (R2)

R2#
R2#sh run
Building configuration...

Current configuration : 1450 bytes
!
! Last configuration change at 19:08:34 UTC Wed Dec 28 2016
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr aes 192
authentication pre-share
group 5
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set OUR-SET esp-aes esp-md5-hmac
mode tunnel
!
crypto ipsec profile OUR-PROFILE
set transform-set OUR-SET
!
!
!
!
!
!
!
interface Loopback1
ip address 2.2.2.2 255.255.255.255
!
interface Loopback10
ip address 10.2.2.2 255.255.255.0
!
interface Tunnel1
ip unnumbered Loopback1
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 15.0.0.1
tunnel protection ipsec profile OUR-PROFILE
!
interface FastEthernet0/0
ip address 25.0.0.2 255.255.255.252
duplex full
!
!
router eigrp 100
network 2.0.0.0
network 10.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 25.0.0.1
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R2#

Running config from another spoke (R3)

Note:- On R3 all the outputs (Ipsec , EIGRP routes) are same as R2 .

R3#sh run
Building configuration...

Current configuration : 1448 bytes
!
! Last configuration change at 19:09:09 UTC Wed Dec 28 2016
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!
!
!
!
no ip domain lookup
ip cef
ipv6 multicast rpf use-bgp
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr aes 192
authentication pre-share
group 5
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set OUR-SET esp-aes esp-md5-hmac
mode tunnel
!
crypto ipsec profile OUR-PROFILE
set transform-set OUR-SET
!
!
!
!
!
!
!
interface Loopback1
ip address 3.3.3.3 255.255.255.255
!
interface Loopback10
ip address 10.3.3.3 255.255.255.0
!
interface Tunnel1
ip unnumbered Loopback1
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 15.0.0.1
tunnel protection ipsec profile OUR-PROFILE
!
interface FastEthernet0/0
ip address 35.0.0.3 255.255.255.0
duplex full
!
!
router eigrp 100
network 3.0.0.0
network 10.0.0.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 35.0.0.4
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R3#

CiscoNutt · ‎01-03-2017

Your problem is split-horizon on the hub. Turn it off and then you should be able to send traffic spoke to spoke.

interface Virtual-Template1 type tunnel

no ip split-horizon

--

Please remember to select a correct answer and rate helpful posts

samy.ccnp · ‎01-03-2017

HI ,

I tried the same thing but no luck and as i confirmed earlier that i'm getting the routed on all the spokes but data traffic is not being pass through .

However i replaced the routers in the topology with ver (12.4) and applied the same config then it's working perfectly .

So i'm suspecting some thing wrong with that IOS .

Anyway thanks for your reply.

alihk1979 · ‎01-25-2017

Dear Samy,

I have same problem , please can you tell me which IOS you are using to solve this problem

Because I have the same problem with multiple configuration, using pre-shared key and certificates

Regards

Ali El Khatib

samy.ccnp · ‎01-29-2017

Hi Ali,

I have replaced my topology with IOS ver 12.4 and then it's working perfectly.

Thanks.

alihk1979 · ‎01-29-2017

Hello I did this too, and it worked but unfortunately it dosent support Ikev2, did you find a solution for the ikev2 ?

Thanks for your help

samy.ccnp · ‎01-30-2017

Hello Ali,

For ikev2 you can use ios ver 15.2(4)S1 it works perfectly until and unless you configure DVTI Flex VPN .

Once you will configure DVTI flex VPN you will have the same issue like DVTI .

Thanks.

Plrememberer to select a correct answer and rate helpful posts

alihk1979 · ‎01-30-2017

Yes , I did lot of search no one has mentioned this issue and how to solve it, I don't know if it is bug because I have tried it also on UnetLab , I did the configuration and when it came to DVTI spokes couldn't ping to each other with IOS 15.4 or with Ikev2 configuration

Thanks for your help

Report Inappropriate Content · ‎06-04-2017

Im having the same issue, running Version 15.2(4)S7 Flexvpn with DVTI. I just cant get the spokes to ping each other, icmp debug on the HUB does not give me any output either when I ping between spokes.

karthivedhu · ‎01-22-2018

Hi Mate,

Did you find the right Ios image to implement flexvpn DVTI.
I tried to implement using c7200-adventerprisek9-mz.152-4.S4.image, spoke locations routes are learnt at all spoke locations.but not able to ping those spoke lan ip's.

trace drops at hub

do you have any solution to implement flexvpn dvti?
thanks,
Karthik

juantron · ‎01-28-2018

Finally I found the solution.

As Cisco says, Cisco 7200 doesn't support fully ikev2 configuration.

Nonetheless, you can configure flexVPN DVTI using tunnel mode gre ip
instead of tunnel mode ipsec ipv4 on GNS3.

I tested my topology using csr1000v (on GNS3 1.3.11) instead of Cisco 7200
and everything is ok.

When the tunnel are building on spokes, we can see:

R3#
*Jan 28 19:21:20.924: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel0, changed state to down
*Jan 28 19:21:20.926: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN:
FlexVPN(IKEv2_CLIENT_PROFILE) Client_public_addr = 200.1.13.3
Server_public_addr = 200.1.13.1
*Jan 28 19:21:23.109: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel0, changed state to up
*Jan 28 19:21:23.110: %FLEXVPN-6-FLEXVPN_CONNECTION_UP:
FlexVPN(IKEv2_CLIENT_PROFILE) Client_public_addr = 200.1.13.3
Server_public_addr = 200.1.13.4 Assigned_Tunnel_v4_addr = 192.168.0.12
*Jan 28 19:21:27.570: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.13.4
(Tunnel0) is up: new adjacency
R3#ping 192.168.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#ping 192.168.1.4 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
R3#ping 192.168.2.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/12/27 ms
R3#

...............

*Jan 28 19:20:54.718: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel0, changed state to down
*Jan 28 19:20:54.718: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN:
FlexVPN(IKEv2_CLIENT_PROFILE) Client_public_addr = 200.1.13.2
Server_public_addr = 200.1.13.1
*Jan 28 19:20:56.902: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Tunnel0, changed state to up
*Jan 28 19:20:56.904: %FLEXVPN-6-FLEXVPN_CONNECTION_UP:
FlexVPN(IKEv2_CLIENT_PROFILE) Client_public_addr = 200.1.13.2
Server_public_addr = 200.1.13.4 Assigned_Tunnel_v4_addr = 192.168.0.11
*Jan 28 19:21:01.372: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.13.4
(Tunnel0) is up: new adjacency
R2#ping 192.168.1.4 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R2#ping 192.168.3.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/13/30 ms
R2#

NOTE Here I shut down fa0/0 on R1 and the tunnels point to R4 (Backup
FlexVPN Server).

juantron · ‎08-28-2017

Hello.

Using standard GNS3, ikev2 only works using 7200 series Routers.

But IKEv2 is not supported on this router (at least, this is what Cisco says).

Nevertheless, using GRE over IPSec this works fine (changing tunnel mode ipsec ipv4 by tunnel mode gre ip on Hub and spokes).

Bye, bye.

Flavio Costa · ‎07-17-2019

I was having the same issue with GNS3 lab here, studying for SIMOS exam and bumping my head against the wall because i double check everything within hub and all spokes like, 5 or 6 times. I changed the tunnel mode from ipsec to GRE and it worked perfecly. Is that a know bug? What a bummer...

juantron · ‎08-28-2017

Hello.

In a Hub and spoke topology using DVTI, disabling split horizon is not necessary in virtual template, because different virtual access exist for every tunnel (two different virtual access if you have one hub and two spokes, three different virtual acceess for one hub and three spokes, ...). So when updates come from a tunnel to hub, they enter by one of the virtual access and leave from the rest of the virtual access.

juantron · ‎01-28-2018

Finally I found the solution.

As Cisco says, Cisco 7200 doesn't support fully ikev2 configuration.

Nonetheless, you can configure flexVPN DVTI using tunnel mode gre ip instead of tunnel mode ipsec ipv4 on GNS3.

I tested my topology using csr1000v (on GNS3 1.3.11) instead of Cisco 7200 and everything is ok.

When the tunnel are building on spokes, we can see:

R3#
*Jan 28 19:21:20.924: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Jan 28 19:21:20.926: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(IKEv2_CLIENT_PROFILE) Client_public_addr = 200.1.13.3 Server_public_addr = 200.1.13.1
*Jan 28 19:21:23.109: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jan 28 19:21:23.110: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(IKEv2_CLIENT_PROFILE) Client_public_addr = 200.1.13.3 Server_public_addr = 200.1.13.4 Assigned_Tunnel_v4_addr = 192.168.0.12
*Jan 28 19:21:27.570: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.13.4 (Tunnel0) is up: new adjacency
R3#ping 192.168.1.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#ping 192.168.1.4 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/3 ms
R3#ping 192.168.2.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/12/27 ms
R3#

...............

*Jan 28 19:20:54.718: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Jan 28 19:20:54.718: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(IKEv2_CLIENT_PROFILE) Client_public_addr = 200.1.13.2 Server_public_addr = 200.1.13.1
*Jan 28 19:20:56.902: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Jan 28 19:20:56.904: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(IKEv2_CLIENT_PROFILE) Client_public_addr = 200.1.13.2 Server_public_addr = 200.1.13.4 Assigned_Tunnel_v4_addr = 192.168.0.11
*Jan 28 19:21:01.372: %DUAL-5-NBRCHANGE: EIGRP-IPv4 1: Neighbor 10.1.13.4 (Tunnel0) is up: new adjacency
R2#ping 192.168.1.4 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.4, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R2#ping 192.168.3.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/13/30 ms
R2#

NOTE Here I shut down fa0/0 on R1 and the tunnels point to R4 (Backup FlexVPN Server).