Cisco 819G - DMVPN over 3G

Unanswered Question
Jul 2nd, 2012
User Badges:

Hello community,


I'm scratching my head over this one. After battling to get a working 3G configuration using the new 3.75G HSPA+ card, which is now working with no problem for Internet access, I'm struggling to bring up a DMVPN connection to our hub router (DMVPN NHS).


ISAKMP appears to be working fine, both agree ISAKMP SA's and enter state QM_IDLE. They also agree an ESP SA. The spoke sends packets encrypted down the tunnel though the hub end does not receive them and does not complete the NHRP registration and as such the tunnel never fully comes up. 'show DMVPN' on the spoke doesn't proceed past NHRP phase, and on the hub it is never seen. The debugs show NAT-T working as it would be expected to and also shows ISAKMP and IPSEC SA's agreeing on inbound/outbound session ID's


What could be going wrong here?


The DMVPN configuration should be fine as I have used an external 3G modem/gateway in the past and the tunnel can establish. So it's almost as if it is an interoperation between the DMVPN config and the 3G config on the 819.


Any ideas?


Best regards,


Jamie


Sent from Cisco Technical Support iPhone App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paolo bevilacqua Mon, 07/02/2012 - 12:12
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

More details and traces would be needed to diagnose.

Try also anon-protected config.

jamiegrive Thu, 07/05/2012 - 00:23
User Badges:

Hi all,


It turns out that it's something to do with NAT issues. Occasionally the provider gives me a public routable IP address on the 3G network - when this happens, the DMVPN comes up no problem. However when I get a private network it doesn't, and the solution is to shut/no shut the dialler interface and get a new address over IPCP.


It can't be that NAT-T for ISAKMP (udp 4500) isn't working as ISAKMP is working fine and we pass this phase.


Any ideas what might be causing this issue? It must be something to do with the 819 and NHRP registration through NAT. It's strange that the 819 never begins to send ESP packets, despite it fully completing the IKE process (Phase 1 and 2). Also strange that the hub end does not see the NHRP registration, but this probably is the first thing after the SA's are set up.


Regards,


Jamie


Sent from Cisco Technical Support iPhone App

jamiegrive Thu, 07/05/2012 - 00:29
User Badges:

Hi again,


I think my comment above regarding ESP not being sent when NAT-T is on is not true, I was forgetting that ESP will be sent on UDP 4500 too.




Sent from Cisco Technical Support iPhone App

Actions

This Discussion