Thanks for your reply.  Did you do any troubleshooting, like firmware upgrading, opening a case with Meraki / AVM etc?

We have 6 HUB's and 320 spokes with an MX67 behind a Fritzbox 7590.  Somehow autoVPN issues on multiple locations started last week, affecting only the autoVPN to 1 of the 6 hubs.

Making an exposed host could be an option, but we would have to disable the DHCP client on the MX.  Not something i'm looking forward to do.

I'm not familiar with the Fritzbox, but I have seen issues like this before with the way that CPE do NAT (ageing out the NAT entries pre-maturely, usually based on creation date rather than last used date).

If the issue is only to Amazon AWS VMX hosts, then the easiest way to resolve this is to configure the VMX to use a manual NAT traversal.  For example:

And make sure that the AWS security group allows whatever port you use in from everywhere.

Thanks,

On the vMX in AWS there already is a manual NAT configured.

Are you already on Fritz!OS version 7.50? We have experienced this with 7.29 but it was gone after updating to 7.50

Very interesting... We also have a similar issue. We are adding an MX 67 on our spokes that goes over AutoVPN to our DC and it only happened a few times in the beginning, but now with every migration of adding an MX 67 to a spoke for SD-WAN, we need to reboot our MX. 

We are also connecting to a Fritzbox and most of the time it is the 7590. We just passed the 100 mark for migrations, but our issue is with the CAP WAP traffic of Cisco AP's that do not want to show up on WLC (Flex Connect) and the only option at the moment to fix this is to reboot MX then it is fixed. 

We do have an open case with Meraki and they have no clue why it is, but we can see that the UDP port is changed when it comes back to the spoke. I am going to check the firmware of the Fritzbox and see if this is related.