I'm scratching my head over this one. After battling to get a working 3G configuration using the new 3.75G HSPA+ card, which is now working with no problem for Internet access, I'm struggling to bring up a DMVPN connection to our hub router (DMVPN NHS).
ISAKMP appears to be working fine, both agree ISAKMP SA's and enter state QM_IDLE. They also agree an ESP SA. The spoke sends packets encrypted down the tunnel though the hub end does not receive them and does not complete the NHRP registration and as such the tunnel never fully comes up. 'show DMVPN' on the spoke doesn't proceed past NHRP phase, and on the hub it is never seen. The debugs show NAT-T working as it would be expected to and also shows ISAKMP and IPSEC SA's agreeing on inbound/outbound session ID's
What could be going wrong here?
The DMVPN configuration should be fine as I have used an external 3G modem/gateway in the past and the tunnel can establish. So it's almost as if it is an interoperation between the DMVPN config and the 3G config on the 819.
It turns out that it's something to do with NAT issues. Occasionally the provider gives me a public routable IP address on the 3G network - when this happens, the DMVPN comes up no problem. However when I get a private network it doesn't, and the solution is to shut/no shut the dialler interface and get a new address over IPCP.
It can't be that NAT-T for ISAKMP (udp 4500) isn't working as ISAKMP is working fine and we pass this phase.
Any ideas what might be causing this issue? It must be something to do with the 819 and NHRP registration through NAT. It's strange that the 819 never begins to send ESP packets, despite it fully completing the IKE process (Phase 1 and 2). Also strange that the hub end does not see the NHRP registration, but this probably is the first thing after the SA's are set up.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...