A full-mesh DMVPN architecture is used to implement our corporate WAN. There are security devices at each site in the WAN that establish a TCP connection to a central server at fixed intervals to report status. An alarm is generated whenever a security device fails to report.
Recently there has been a problem with the security devices alarming at several sites. Using tcpdump we have uncovered one reason for the problem.
The remote security device sends a SYN packet that results in a DMVPN connection being established to the site hosting the central server. The packet is detected at the site.
The server immediately responds with a SYN ACK packet that is sent back to the security device.
Instead of routing the response back to the security device, the DMVPN router responds with an ICMP administratively prohibited packet that is sent to the server.
The DMVPN connection has been established between the site. Why is the DMVPN router returning an ICMP Administratively Prohibited response?
This only appears to occur when a TCP connection is being established and the SYN ACK packet is received by the DMVPN router at the central site.