|
Consider the below scenario wherein the network topology looks like:
Hub--->Spoke 1
Hub---> Spoke 2
Spoke 1 ---> Spoke 2 - shortcut tunnel is not forming
Hub IP - 10.103.3.214
Spoke 1 IP - 10.103.3.216
Spoke 2 IP - 10.40.51.197
Spoke 1 Lan - 10.103.3.216
Spoke 2 Lan - 10.104.3.197
>> If you observe the error message log as below on the Hub or any of the Spoke sites:
ike 0:advpn-hub_0: notify msg received: SHORTCUT-REPLY
ike 0:advpn-hub_0: recv shortcut-reply 1175635844485928790 44a30045af7ec345/43b7cdace2605101 10.40.51.197 to 10.103.3.216 psk 64 ppk 0 ver 1 mode 0 ext-mapping 0.0.0.0:0
ike 0:advpn-hub: iif 21 10.104.3.197->10.103.3.216 route lookup oif 21 wan1
ike 0:advpn-hub_0: no match for shortcut-reply 1175635844485928790 44a30045af7ec345/43b7cdace2605101 10.40.51.197 to 10.103.3.216 psk 64 ppk 0, drop
>> This error comes when the firewall does not have a correct route to forward the "shortcut reply" to and forwards it out the wrong interface.
>>In the scenario described above the Shortcut Reply from Spoke 2 for Spoke 1 LAN subnet is received on the HUB but upon route lookup, the following is observed:
ike 0:advpn-hub: iif 21 10.104.3.197->10.103.3.216 route lookup oif 21 wan1
>> Firewall finds a route out the wan 1 interface which is incorrect as the route should be found over the tunnel interface facing the Spoke 1.
>>In such cases, always check the route lookup and ensure the firewall returns the correct tunnel interface over which the shortcut reply should be forwarded.
>> If not then check whether correct routing is configured in the customer environment.
>> In the case of SDWAN, ensure to check SDWAN rules are configured correctly.
|
