Solved: Re: two DMVPN Spokes behind ASA doing hide-NAT to the Internet

gadholwi1 · ‎06-22-2010

does this scenario require as special configuration of the ASA? Up to now the setup is not working, we are facing the following problem:

The central DMVPN Hub shows a 'invalid SPI' error, because both spokes coming up with the same IP address (ASA hide-NAT) at the DMVPN hub.

thx

Holger

Diego Armando Cambronero Arias · ‎06-23-2010

Are you using one IP address for both spokes? that is not gonna work

View solution in original post

Diego Armando Cambronero Arias · ‎06-23-2010

You will need to enable NAT-T in the all the routers and permit port udp 4500 as well from the outside of the ASA to the IP addresses of the spokes if it does't work permit all IP just to test. NAT will change the hash output so the spi will never be come up

Diego Armando Cambronero Arias · ‎06-23-2010

Are you using one IP address for both spokes? that is not gonna work

gadholwi1 · ‎06-24-2010

Yes, of course, both DMVPN spokes are translated to one public PAT IP address.

And you are right, this configuration does not work.

see ASK THE EXPERT discussion

https://supportforums.cisco.com/message/3122613#3122613

thx for your reply

Holger

Eugene Khabarov · ‎06-28-2012

gadholwi1 написал(а):

see ASK THE EXPERT discussion

https://supportforums.cisco.com/message/3122613#3122613

Hi! This link is not accessible

Eugene Khabarov · ‎06-28-2012

Can anybody confirm that two spokes won't work behind one PAT address on up to date software?