NAT Unfriendly

SOLVED
OscarAldana
Conversationalist

NAT Unfriendly

Hello, 

 

I am receiving the NAT unfriendly alert on my VPN status page. Does this alert can cause the VPN not going up?

 

Regards

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Yes it could.

 

It means there is something doing NAT in front of the MX.  You could try upgrading the firmware of whatever that device is to resolve the problem.  There is also a troubleshooting guide here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Automatic_NAT_Traversal_for_Mer...

 

You could also manually forward a UDP port on that upstream router to the MX and configure the MX to use manual NAT traversal.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#NAT_Traversal

View solution in original post

5 REPLIES 5
PhilipDAth
Kind of a big deal
Kind of a big deal

Yes it could.

 

It means there is something doing NAT in front of the MX.  You could try upgrading the firmware of whatever that device is to resolve the problem.  There is also a troubleshooting guide here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Automatic_NAT_Traversal_for_Mer...

 

You could also manually forward a UDP port on that upstream router to the MX and configure the MX to use manual NAT traversal.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#NAT_Traversal

iores
Comes here often

@PhilipDAth Why is NAT unfriendly a problem? If outside (NATed) source IP or port are inconsistent, the inside IP and src port are not so the data gets always forwarded to the same host.

 

What am I missing?

PhilipDAth
Kind of a big deal
Kind of a big deal

Because the NAT needs to allow return packets from any IP address to work.  Then every other MX can establish an AutoVPN link directly to the MX.

iores
Comes here often

@PhilipDAth Can you please explain in more detail? 

 

Are you saying that in one moment in NAT translation table there will be MX private IP address mapped to one public IP address and/or port, and in other moment they will be different. So, the returned traffic will have IP/port mismatch and the data would not get forwarded correctly?

 

How often MX registers its IP and port to the VPN registrator?

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels