two DMVPN Spokes behind ASA doing hide-NAT to the Internet

Answered Question
Jun 22nd, 2010
User Badges:

does this scenario require as special configuration of the ASA? Up to now the setup is not working, we are facing the following problem:


The central DMVPN Hub shows a 'invalid SPI' error, because both spokes coming up with the same IP address (ASA hide-NAT) at the DMVPN hub.


thx

Holger

Correct Answer by Diego Armando C... about 6 years 11 months ago

Are you using one IP address for both spokes?  that is not gonna work

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Diego Armando C... Wed, 06/23/2010 - 08:25
User Badges:
  • Bronze, 100 points or more

You will need to enable NAT-T  in the all the routers and permit port udp 4500 as well  from the outside of the ASA to the IP addresses of the spokes if it does't work permit all IP just to test.   NAT will change the hash output so the spi will never be come up

Correct Answer
Diego Armando C... Wed, 06/23/2010 - 08:26
User Badges:
  • Bronze, 100 points or more

Are you using one IP address for both spokes?  that is not gonna work

Eugene Khabarov Thu, 06/28/2012 - 01:14
User Badges:
  • Silver, 250 points or more

Can anybody confirm that two spokes won't work behind one PAT address on up to date software?

Actions

This Discussion