Meraki

Community

NAT Unfriendly

Solved
OscarAldana
Conversationalist
‎May 31 2019 5:06 PM
‎May 31 2019 5:06 PM

NAT Unfriendly

Hello, 

 

I am receiving the NAT unfriendly alert on my VPN status page. Does this alert can cause the VPN not going up?

 

Regards

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 31 2019 6:45 PM
‎May 31 2019 6:45 PM

Yes it could.

 

It means there is something doing NAT in front of the MX.  You could try upgrading the firmware of whatever that device is to resolve the problem.  There is also a troubleshooting guide here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Automatic_NAT_Traversal_for_Mer...

 

You could also manually forward a UDP port on that upstream router to the MX and configure the MX to use manual NAT traversal.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#NAT_Traversal

View solution in original post

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 31 2019 6:45 PM
‎May 31 2019 6:45 PM

Yes it could.

 

It means there is something doing NAT in front of the MX.  You could try upgrading the firmware of whatever that device is to resolve the problem.  There is also a troubleshooting guide here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Automatic_NAT_Traversal_for_Mer...

 

You could also manually forward a UDP port on that upstream router to the MX and configure the MX to use manual NAT traversal.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#NAT_Traversal

In response to PhilipDAth
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 31 2019 6:46 PM
‎May 31 2019 6:46 PM

This guide includes a screenshot:

https://documentation.meraki.com/Architectures_and_Best_Practices/Auto_VPN_Hub_Deployment_Recommenda...

0 Kudos
In response to PhilipDAth
iores
Comes here often
‎Nov 16 2023 2:03 PM
‎Nov 16 2023 2:03 PM

@PhilipDAth Why is NAT unfriendly a problem? If outside (NATed) source IP or port are inconsistent, the inside IP and src port are not so the data gets always forwarded to the same host.

 

What am I missing?

0 Kudos
In response to iores
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 16 2023 2:10 PM
‎Nov 16 2023 2:10 PM

Because the NAT needs to allow return packets from any IP address to work.  Then every other MX can establish an AutoVPN link directly to the MX.

0 Kudos
In response to PhilipDAth
iores
Comes here often
‎Nov 16 2023 2:38 PM
‎Nov 16 2023 2:38 PM

@PhilipDAth Can you please explain in more detail? 

 

Are you saying that in one moment in NAT translation table there will be MX private IP address mapped to one public IP address and/or port, and in other moment they will be different. So, the returned traffic will have IP/port mismatch and the data would not get forwarded correctly?

 

How often MX registers its IP and port to the VPN registrator?

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.