Results
Check the behavior of the configuration using CLI commands from Spoke A.
get router info routing-table bgp
displays the learned routes from the topology. The recursive routing is a result of the spoke’s required static route. In this case, there has not been any traffic between our local subnet (192.168.2.0/24) and the other spoke’s subnet as the routes are both going through the hub.
B 192.168.1.0/24 [200/0] via 10.0.0.1, ADVPN, 22:30:21
B 192.168.3.0/24 [200/0] via 10.0.0.3 (recursive via 10.0.0.1), 22:30:21
When you initiate a ping between both spokes, you see a different display of routing information – routing now goes through a newly established dynamic tunnel directly through the remote spoke rather than through the hub. The ping hiccup is the tunnel rerouting through a newly negotiated tunnel to the other spoke.
The routing information now displays the remote subnet as being available through the spoke directly, through interface ADVPN_0, a dynamically instantiated interface going to that spoke.
FG # execute ping-options source 192.168.2.1
FG # execute ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1): 56 data bytes
64 bytes from 192.168.3.1: icmp_seq=0 ttl=254 time=38.3 ms
64 bytes from 192.168.3.1: icmp_seq=1 ttl=254 time=32.6 ms
Warning: Got ICMP 3 (Destination Unreachable)
64 bytes from 192.168.3.1: icmp_seq=2 ttl=255 time=43.0 ms
64 bytes from 192.168.3.1: icmp_seq=3 ttl=255 time=31.7 ms
64 bytes from 192.168.3.1: icmp_seq=4 ttl=255 time=31.2 ms
--- 192.168.3.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 31.2/35.3/43.0 ms
FG # get router info routing-table bgp
B 192.168.1.0/24 [200/0] via 10.0.0.1, ADVPN, 22:34:13
B 192.168.3.0/24 [200/0] via 10.0.0.3, ADVPN_0, 00:02:28
The diagnose vpn tunnel list
command gives more information. This example highlights aspects in the output which convey data specific to ADVPN, in this case, the auto-discovery flag and the child-parent relationship of new instantiated dynamic tunnel interfaces.
FG # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=ADVPN_0 ver=1 serial=a 10.1.1.2:0->10.1.1.3:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/0
parent=ADVPN index=0
proxyid_num=1 child_num=0 refcnt=19 ilast=3 olast=604 auto-discovery=2
stat: rxp=7 txp=7 rxb=1064 txb=588
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ADVPN-P2 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=2f type=00 soft=0 mtu=1438 expire=42680/0B replaywin=2048 seqno=8 esn=0
life: type=01 bytes=0/0 timeout=43152/43200
dec: spi=9a487db3 esp=aes key=16 55e53d9fbc8dbeaa6df1032fbc80c4f6
ah=sha1 key=20 a1470452c6a444f26a070add087f0d970c18e3a7
enc: spi=3c37fea7 esp=aes key=16 8fd62a6745a9ba4fda062d4504b76851
ah=sha1 key=20 44c606f1ef1bf5739ba62f6572031aa956974d0a
dec:pkts/bytes=7/588, enc:pkts/bytes=7/1064
------------------------------------------------------
name=ADVPN ver=1 serial=9 10.1.1.2:0->10.1.1.1:0
bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0
proxyid_num=1 child_num=1 refcnt=22 ilast=8 olast=8 auto-discovery=2
stat: rxp=3120 txp=3120 rxb=399536 txb=191970
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=12
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=ADVPN-P2 proto=0 sa=1 ref=2 serial=1 auto-negotiate adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=2f type=00 soft=0 mtu=1438 expire=4833/0B replaywin=2048 seqno=5ba esn=0
life: type=01 bytes=0/0 timeout=43148/43200
dec: spi=9a487db2 esp=aes key=16 4f70d27edad656cfcacbae61b23d4b11
ah=sha1 key=20 b19ea87c90dd92d1cab58cbf24ae8fe12ee927cb
enc: spi=b3dde355 esp=aes key=16 efbb4440df75018610b4ba8f5756167d
ah=sha1 key=20 81cc9cee3bee1c2dba0eb1e7ac66e9d34b67bde9
dec:pkts/bytes=1465/90152, enc:pkts/bytes=1465/187560
------------------------------------------------------