two DMVPN Spokes behind ASA doing hide-NAT to the Internet

Answered Question
Jun 22nd, 2010

does this scenario require as special configuration of the ASA? Up to now the setup is not working, we are facing the following problem:

The central DMVPN Hub shows a 'invalid SPI' error, because both spokes coming up with the same IP address (ASA hide-NAT) at the DMVPN hub.



I have this problem too.
0 votes
Correct Answer by Diego Armando C... about 6 years 7 months ago

Are you using one IP address for both spokes?  that is not gonna work

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Diego Armando C... Wed, 06/23/2010 - 08:25

You will need to enable NAT-T  in the all the routers and permit port udp 4500 as well  from the outside of the ASA to the IP addresses of the spokes if it does't work permit all IP just to test.   NAT will change the hash output so the spi will never be come up

Eugene Khabarov Thu, 06/28/2012 - 01:14

Can anybody confirm that two spokes won't work behind one PAT address on up to date software?


This Discussion