cannot create DMVPN spoke-to-spoke when spokes are behind NAT

Brian M · ‎09-30-2008

I have a DMVPN network setup and running almost perfectly except I cannot seem to establish a spoke-to-spoke connection between devices that are behind NAT.

Spoke-to-hub is working fine and spoke-to-spoke (when one of the spokes is not behind NAT) is also working.

If I look at my NHRP registrations on the server (hub) all devices are registering their public NBMA addresses but when one spoke tries to communicate to another spoke (both behind NAT) the NHRP on one side will always say 'incomplete' while the other side has the correct information. So, if I try to ping from VPN02 to VPN04, the NHRP on VPN02 will be incomplete while VPN04 has the correct info.

I've attached my configs and a diagram, hopefully someone out there has seen this before.

Thanks!!!

Brian M · ‎02-06-2009

I'm gonna bump this back up because I'm still having the problem. Anyone have any ideas?

andyjames · ‎02-11-2009

Brian,

Not sure if you are still having the same problem or not.

Looked at configs and all looks ok, will compare with some others to see if there is anything missing though.

1 thing, on VPN02 you have the following,

interface Tunnel0

bandwidth 1500

ip address 172.25.254.11 255.255.254.0

Should that mask be 255.255.255.0?

Andy.

Brian M · ‎02-11-2009

Thanks for the help, I sure hope you can find something because I am out of ideas.

The mask is correct. We are using 23 bits for our tunnel interfaces to keep them in one broadcast domain.

Thanks again!

tomek0001 · ‎02-11-2009

Brian,

1. I would look at you IOS version to see if it support NAT-T DMVPN. I think 12.4(6)T and up is

2. Check out this link http://www.cisco.com/en/US/docs/ios/security/configuration/guide/dmvpn_dt_spokes_b_nat.html

3. How is your hub setup. What is it advertising, summary route or detailed? Phase 2 or 3 setup?

4. Another thing is i'm not sure why you have "ip nhrp map multicast dynamic" on the spokes, haven't see that on them usually only on hubs.

5. Can you do a show ip route output on them all?

Hope that helps.

Brian M · ‎02-13-2009

I think I'm running into a PAT issue. I considered this when I was first troubleshooting but was hoping that NAT-T would allow NHRP to register the port but it appears that it doesn't.

If I remove PAT and use NAT I can establish a tunnel. It looks like this will simply a restriction we will have to live with.

As far as the multicast dynamic, I put that in there to test because I wasn't sure originally if my problem was due to EIGRP and I wanted GRE to pass my routing tables whether or not the IPSEC was active. I have since removed that line.

I am advertising a mixture of summary and specific routes to the NHRP routers but the NHRP network itself is a no-summary network and individual routes are advertised.

Thanks for the help!! It looks like PAT just isn't support quite yet but at least now I know what my tunnels won't come up.

tomek0001 · ‎02-13-2009

Brian,

Check out Phase 3 of DMVPN, you might be able to just use summary routes instead of detailed and still have spoke to spoke tunnels, might make routing a little bit easier. Check this doc out:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/prod_white_paper0900aecd8055c34e_ps6658_Products_White_Paper.html

(please rate if you found this helpful)