Carrier Grade NAT may be playing a role here, too - running pcaps at both ends can reveal if the mobile carrier is manipulating ports in a way that fools the UDP punch process. Switching to Manual NAT traversal at the Hub end, choosing a UDP port between 1025 and 32768, but avoiding 4500 may help. More on setting this up here: https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshooting#NAT_Type:_Unfriendly
... View more