cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1706
Views
0
Helpful
5
Replies

two DMVPN Spokes behind ASA doing hide-NAT to the Internet

gadholwi1
Level 1
Level 1

does this scenario require as special configuration of the ASA? Up to now the setup is not working, we are facing the following problem:

The central DMVPN Hub shows a 'invalid SPI' error, because both spokes coming up with the same IP address (ASA hide-NAT) at the DMVPN hub.

thx

Holger

1 Accepted Solution

Accepted Solutions

Are you using one IP address for both spokes?  that is not gonna work

View solution in original post

5 Replies 5

You will need to enable NAT-T  in the all the routers and permit port udp 4500 as well  from the outside of the ASA to the IP addresses of the spokes if it does't work permit all IP just to test.   NAT will change the hash output so the spi will never be come up

Are you using one IP address for both spokes?  that is not gonna work

Yes, of course, both DMVPN spokes are translated to one public PAT IP address.

And you are right, this configuration does not work.

see ASK THE EXPERT discussion

https://supportforums.cisco.com/message/3122613#3122613

thx for your reply

Holger

gadholwi1 написал(а):

see ASK THE EXPERT discussion

https://supportforums.cisco.com/message/3122613#3122613

Hi! This link is not accessible

Can anybody confirm that two spokes won't work behind one PAT address on up to date software?