Description
This article describes the traffic behavior between Spokes when the Hub goes down.
Scope
FortiGate, ADVPN.
Solution
Spoke to Spoke communication continues to go through even if the Hub goes down, if the following conditions are met:
- Shortcut tunnels between Spokes are up, which happens when the default Phase 1 setting of auto-discovery-shortcuts is not modified. There are 2 modes for this setting, which are the following:
- independent: Short-cut tunnels remain up if the parent tunnel goes down.
- dependent: Short-cut tunnels are brought down if the parent tunnel goes down.
- The spokes must have proper routing information about each other (usually learned from the hub via BGP or OSPF).
- If the shortcut tunnel is already up and the IPsec/IKE sessions are still valid, the tunnel will continue to work. This mainly relies on the IKEv1 SA Keylife duration configured in the Phase 1 Interface. To know more about the Rekey of ADVPN shortcut tunnels, refer to this Knowledge Base article: Technical Tip: IKE and IPSec SA rekey for ADVPN shortcut tunnels for IKEv1 and IKEv2.
- During the rekeying of IKEv1 SA between shortcut tunnels, if the HUB is down, IKE will not negotiate the tunnel, as the Hub will not offer a shortcut.
To mitigate this issue, either switch to IKEv2 or implement a dual-hub setup with SD-WAN support.
Refer to this document to learn about IKEv1 and IKEv2: Choosing IKE version 1 and 2.
Refer to this KB article to learn about SD-WAN support for ADVPN: Technical Tip: SD-WAN support for ADVPN.
Related article:
Technical Tip: Implement Hub and Spoke ADVPN – using IPsec wizard
