In that case, you have to pay attention on IPsec encap mode…

NHRP Registration

When an NHRP registration is received, the hub checks the source IP address on the encapsulating GRE/IP header of the NHRP packet with the source NBMA IP address, which is contained in the NHRP registration packet. If these IP addresses are different, then NHRP knows that NAT is changing the outer IP header source address. The hub preserves both the pre- and post-NAT address of the registered spoke.


If encryption is used, then IPsec transport mode must be used to enable NHRP.


Let’s see this behavior.

1) show ip nhrp output in transport mode DMVPN.

Router-NHS#sh ip nhrp via
Tunnel0 created 00:16:58, expire 01:43:02
Type: dynamic, Flags: unique registered
NBMA address:
(Claimed NBMA address:

NHRP realize the IP address is changed by NAT ( to

2) show ip nhrp output in tunnel mode DMVPN.

Router-NHS#sh ip nhrp via
Tunnel0 created 00:00:11, expire 01:59:49
Type: dynamic, Flags: unique registered used
NBMA address:


In the Case(2), NHRP believes the packet is not NATted since the original IP header is encapsulation and not changed. Therefore, original local(before nat) address is used as the NBMA address.

Comments (0)

› No comments yet.


Allowed Tags - You may use these HTML tags and attributes in your comment.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Pingbacks (0)

› No pingbacks yet.