cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
686
Views
0
Helpful
5
Replies
Robert Craig
Participant

GRE Tunnel with IPSEC Protection behind NAT

I have a DMVPN spoke behind an ASA. The ASA is performing nat for this site. Is there anything special that I need to do on the spoke side to keep the tunnel stable? It stays up for about 3 or 4 minutes, then drops for 30 seconds, then back up again. I can see a peer trying to establish on the hub "show crpyto isakmp sa" with the public IP of the spoke, but when the tunnel drops, it is trying to form an SA with the private IP of the spoke router. I've tried using "mode transport" on the transform set, but that just breaks the tunnel completely. Any help is appreciated.

 

Robert

5 REPLIES 5
AllertGen
Participant

Hello, .

Does your ASA use NAT only for one spoke? Or there is anothers too? Did you use "mode transport" only at the spoke side (you should use it at the hub first and after this you should use this command at the spokes)? If "mode transport" not works you can try configure PAT at your ASA for this router.

Best Regards.

No, there is only one spoke behind the ASA at this site. I only used "mode transport" at the spoke side, but haven't tried using it at the hub first. I might just have to do a PAT on the ASA. If I end up doing a PAT, would it be UDP 500?

 

Robert

Hi, Robert Craig.

At first try to make a "mode transport" at the hub. By manuals there is information that you need to do it first at the hub and only after this at the spokes.

For PAT it will be 500 UDP (but if it won't be anough than 4500 UDP, AH and ESP protocols).

Best Regards.

OK, I added "mode transport" at the hub, no effect. I can still see the tunnel drop and a peer trying to form with the private IP. Think I should add it at the spoke now and see how it performs?

 

Robert

OK, I added mode transport on both the hub and the spoke. The tunnel is staying up now. Thanks for the tip!

Robert

Content for Community-Ad