Technical Tip: Multiple shortcut tunnels between the same spoke pair

ADVPN implementation allows multiple concurrent shortcut tunnels between the same pair of spokes as long as they are negotiated over different hub gateways. Each shortcut has its own independent lifetime and is not tied to the continued existence of the original parent tunnel that triggered it.

Refer to the diagram and sequence of events:

Sequence of events:

1. All devices share a single Internet underlay interface (port1).
2. Each spoke establishes two IPsec overlay tunnels, one to Hub1 and one to Hub2, with ADVPN enabled on both overlays.
3. Initially, traffic from Spoke1 to Spoke2 travels via the parent tunnel through Hub1. At the same time, a shortcut negotiation process begins.
4. A direct shortcut tunnel is successfully created between Spoke1 and Spoke2, and spoke-to-spoke traffic switches to this faster shortcut path.
5. Hub1 loses its Internet connectivity. Normally, this would tear down the parent tunnel to Hub1 and any shortcuts that depend on it. However, the existing shortcut between Spoke1 and Spoke2 stays active because its lifetime is independent of the parent tunnel that originally triggered it.
6. After the failure, routing updates on Spoke1 now show Spoke2 as reachable via Hub2. This change causes Spoke1 to initiate a new shortcut negotiation through Hub2 for the same destination (Spoke2).
7. However, the shortcut creation fails. The reason is, a shortcut between Spoke1 and Spoke2 already exists with the same local and remote gateway IP. 

For the second shortcut to be created, it is needed to differentiate between the overlays by setting a network ID on each of them.

config vpn ipsec phase1-interface
    edit <vpn-tunnel-name>
        set network-overlay enable
        set network-id <ID>
    next
end

After setting a different network ID on each overlay (both HUB and spoke side), both shortcuts can now be established at the same time.