I have several Sites with 2 MX in Routed Mode and 1 AP. All are sharing the Internet acces using the same Public IP. My Firewall is a Palo Alto with Dynamic NAT and Port so all MX are showing "Unfriendly NAT". Despite that, Site-to-Site VPN HUB <-> SPOKE is working fine.
By other hand, every AP is publising a Teleworker SSID (VPN tunneling to same HUB) but it's failing. The VPN Concentrator Test fails and SSID is not published.
I couldn't understand why the Site-to-Site tunnel worked but Teleworker SSID not so I captured traffic in both sides (Ap, Spoke and Hub) and I discoverd the following behaviour:
For Site-to-Site VPN:
The HUB sends UDP traffic to original UDP Spoke Port (known via VPN Registry) and Natted UDP Spoke Port (I don't lnow how is known (¿maybe received traffic?))
The UDP traffic to natted port, through the Spoke Firewall because it has a NAT session created for that traffic and the UDP traffic to original UDP port is dropped. It seems to make sense.
For SSID Tunnel:
The HUB ONLY sends UDP traffic to original UDP Spoke Port (known via VPN Registry) but not to Natted UDP Spoke Port so traffic is dropped in the Spoke Side because the Firewall hasn't a NAT session and tunnel fails.
Anybody know if it's a normal behaviour in the MX side? I expected same behaviour for both cases....
If it's correct, are there any solution vía Meraki configuration? (We can't change Firewall Policies at this moment)
Thanks and regards.