cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1164
Views
0
Helpful
3
Replies

Cisco 819G - DMVPN over 3G

jamiegrive
Level 1
Level 1

Hello community,

I'm scratching my head over this one. After battling to get a working 3G configuration using the new 3.75G HSPA+ card, which is now working with no problem for Internet access, I'm struggling to bring up a DMVPN connection to our hub router (DMVPN NHS).

ISAKMP appears to be working fine, both agree ISAKMP SA's and enter state QM_IDLE. They also agree an ESP SA. The spoke sends packets encrypted down the tunnel though the hub end does not receive them and does not complete the NHRP registration and as such the tunnel never fully comes up. 'show DMVPN' on the spoke doesn't proceed past NHRP phase, and on the hub it is never seen. The debugs show NAT-T working as it would be expected to and also shows ISAKMP and IPSEC SA's agreeing on inbound/outbound session ID's

What could be going wrong here?

The DMVPN configuration should be fine as I have used an external 3G modem/gateway in the past and the tunnel can establish. So it's almost as if it is an interoperation between the DMVPN config and the 3G config on the 819.

Any ideas?

Best regards,

Jamie

Sent from Cisco Technical Support iPhone App

3 Replies 3

paolo bevilacqua
Hall of Fame
Hall of Fame

More details and traces would be needed to diagnose.

Try also anon-protected config.

jamiegrive
Level 1
Level 1

Hi all,

It turns out that it's something to do with NAT issues. Occasionally the provider gives me a public routable IP address on the 3G network - when this happens, the DMVPN comes up no problem. However when I get a private network it doesn't, and the solution is to shut/no shut the dialler interface and get a new address over IPCP.

It can't be that NAT-T for ISAKMP (udp 4500) isn't working as ISAKMP is working fine and we pass this phase.

Any ideas what might be causing this issue? It must be something to do with the 819 and NHRP registration through NAT. It's strange that the 819 never begins to send ESP packets, despite it fully completing the IKE process (Phase 1 and 2). Also strange that the hub end does not see the NHRP registration, but this probably is the first thing after the SA's are set up.

Regards,

Jamie

Sent from Cisco Technical Support iPhone App

jamiegrive
Level 1
Level 1

Hi again,

I think my comment above regarding ESP not being sent when NAT-T is on is not true, I was forgetting that ESP will be sent on UDP 4500 too.

Sent from Cisco Technical Support iPhone App

Review Cisco Networking for a $25 gift card