Hi,

Weird issue on connecting CPEs (C887, C819) via 3G/4G to an IPSEC concentrator (ASR1001).

I'm testing using Cisco887VAMG+7 and  C819G-4G-G-K9.

IOS is 15.(3)M3, 15.4(3)M3 or 15.5(3)M

SIM cards from EE and O2 in UK. 

The CPE has a static IPSEC tunnel configured, the ASR has DVTI configuration. 

I'm using IKEv2, solution is quite stable and works fine with all kind of accesses (CPEs are connected to Internet then build an IPSEC tunnel to the IPSEC gateway). 

Only in the case of 3G/4G access I encounter the following problem:

- tunnel is build, all IKE SAs and IPSEC SAs are fine on both sides (CPE and ASR). 

- IKE injected routes are exchanged fine.

PROBLEM: traffic from the ASR is failing to reach the LAN/loopbacks connected on the CPE. Ping from the ASR (or another remote CPE) destined to a loopback/LAN on the 3G connected CPE is failing. 

But when I ping from the CPE to the ASR/remote CPE, ping is successful! More so, after I ping from the 3G connected CPE, the ping from the other side succeeds as well. 

All is good for around 10 minutes and - if no traffic from the 3G CPE during this time - it fails again. 

I got a solution for the spoke to hub connectivity (IP SLA which pings from the 3G CPE every 2 mins or so, keeping the path "alive"). 

But I'm trying to build an DMVPN solution with dynamic tunnels and for that it cannot scale. 

If there's no traffic from the 3G CPE for a few minutes, then the traffic destined to it from a remote CPE will fail.

So... anybody had this issue? Any advice? Solution?

Thank you,

Radu