
When deploying a hub and spoke [FlexVPN](/flexvpn) topology, it is possible to create backup [routes](/routing) in the [routing table](/routing-table) that will be used in the event that the FlexVPN topology fails.  However, there are some behaviors of the FlexVPN topology that must be taken into account when applying such backup routes.

In a FlexVPN Hub and Spoke setup, backup routes do not load automatically when the hub fails because the spoke routers are still maintaining an active [IPSec](/ipsec) Security Association (SA) with the hub. The virtual-access interfaces that are associated with the IPsec SAs remain up, even though the hub is no longer reachable. This is because the routing used in the setup **is not aware of the underlying IPsec tunnel’s actual state**. Otherwise, any backup routes would kick in.

Issuing the `clear crypto session` command forces the IPsec SAs to be torn down and the associated virtual-access interfaces to be removed. This triggers the routing to re-evaluate the routes and load the backup routes into the routing table.

If left to itself, the SA will remain up for the configured lifetime duration, which by default is 86400 seconds or one full 24-hour day.

One solution to this behavior is to reduce the lifetime to something on the order of several seconds, but this will cause the router to reestablish the SA continually, which may not cause disruption to the network, but will increase the burden of resources on the router. 

Another solution is to automate the process of issuing the `clear crypto session` command in the event the hub fails.  This can be done using [Cisco's Embedded Event Manager (EEM)](/eem-cisco-embedded-event-manager) with an [IP SLA](/ip-sla-parameters) where the clear command can be run whenever communication with the hub has failed.

Similarly, when any hub failure has been restored, FlexVPN connections take some time to reestablish and reach the original stable topology.  This is because of a related issue. If the SAs on the spokes haven’t expired yet when the hub comes back up, they will still be active, so the spokes won’t attempt to reestablish the new SAs with the hub. The spokes will wait until the SAs time out before attempting to reestablish. If Dead Peer Detection (DPD) is activated, which is a mechanism used by IPSec [VPN](/vpn) devices to detect if the remote peer is still alive. The default timeout is 30 seconds with a retry interval of 10 seconds. The delay in detecting the peer’s state can affect the reestablishment of the connections.

Links:

https://forum.networklessons.com/t/flexvpn-hub-and-spoke/13362/20?u=lagapides

https://networklessons.com/cisco/ccie-enterprise-infrastructure/flexvpn-hub-and-spoke

https://networklessons.com/cisco/ccie-routing-switching-written/cisco-ios-embedded-event-manager

https://networklessons.com/cisco/ccie-routing-switching-written/ip-sla-eem-script

FlexVPN Hub and Spoke backup routes

EIGRP authentication

EIGRP auto-summary

EIGRP change rib scale

EIGRP establishing remote neighbors

EIGRP header - ACK field

EIGRP named mode

EIGRP on the Nexus Platform

EIGRP redistributing named mode

EIGRP rib-scale

EIGRP seed metrics when redistributing

EIGRP split horizon verification

EIGRP split-horizon vs poison reverse

EIGRP unequal cost load balancing

EIGRP what happens when a feasible successor fails

EIGRP

EPC - Cisco Embedded Packet Capture

ERSPAN

EVE-NG supported Cisco and other vendor images

Equal-cost Multi-path routing

EtherChannel - applying configurations to the interface

EtherChannel - implementing over 802.1Q tunneling

EtherChannel - load balancing algorithms

EtherChannel - max-bundle

EtherChannel - prerequisites for bundling

EtherChannel

Etherchannel - fast-switchover

Ethernet - role of FCS field

Ethernet - speed and duplex mismatches

Ethernet - speed and duplex settings on an ISR4431

Ethernet CSMA-CD

Ethernet VPN (EVPN)

Ethernet administrative and operational encapsulation

Ethernet administrative operational mode

Ethernet frame types

Ethernet header

Ethernet over IP (EoIP)

Ethernet

FHRP - interaction with routing protocols

FHRP - which ports should you configure

FHRP Communication Between Redundant Routers

FHRP Load Balancing Behavior

FHRP Protocols

FHRP communication path of keepalives

Fiber optic types

Fiber optics - Multi mode fiber optics characteristics

Fiber optics - Single mode fiber optics characteristics

Fiber optics - color coding

Fiber optics - connectors

FlexVPN redundant hub with dual cloud

FlexVPN spoke to spoke communication fails with IPSec tunnel

FlexVPN

Frame Relay - is it a relevant technology anymore

Frame-Relay - emulating a Frame-Relay switch

Frame-Relay DLCI values

GNS3 how to obtain Cisco IOS images

GRE - Recursive routing error - AD solution

GRE - Recursive routing error - filtering solution

GRE - Recursive routing error

GRE - Tunnel Addressing

GRE MTU settings

GRE and IPSec

GRE tunnel and multicast

GRE tunnel key operation with only one tunnel key configured

GRE tunnel key

GRE tunnels and how they transmit multicast packets

HSRP - standby group numbers

HTTP - viewing HTTP messages in Wireshark

Hardware - Application Specific Integrated Circuit (ASIC)

High-Level Data Link Control (HDLC)

Home lab computer requirements

Hot Standby Router Protocol (HSRP)

How to practice labbing - best practices

How to prepare for Cisco DNA

IANA

ICANN

ICMP - Mitigating Vulnerabilities

ICMP - Vulnerabilities

ICMP - response to a ping that is blocked by an ACL

ICMP codes and types

ICMP

IEEE

IETF

IGMP - Snooping Querier Election

IGMP - Snooping Querier

IGMP - access group

IGMP - fast leave

IGMP - filtering using ACLs

IGMP - ip igmp snooping querier command

IGMP - membership report

IGMP - using VLAN access maps to filter multicast traffic

IGMP Snooping internal interface

IGMP default IOS configurations

IGMP last member query interval

IGMP membership query max response time

IGMP membership reports destination

IGMP report suppression

IGMP snooping prevents report suppression