@Chris_Atkinson  checked these sarticles, everything looks fine. SmartProvisioning is mentioned in the article but we don't use this feature, alle gateways are defined as normal DAIP gateways. There are no firewall-rules between remote and central gateway.

Can you please explain the needed traffic flow for the "connect" state. Will be there a need for a cpd_amon connection from the management to the remote DAIP gateway or vice versa?

Please explain the NAT used here - sounds like  static NAT, not dynamic IP to me...

@G_W_Albrecht we have no information which kind of NAT is done via the LTE provider, this is something mysterious done by the  German Telekom in the LTE network. We could see the appliance getting IP-adress (10.xx.xx.xx) but on the management we could see the appliance as 80.xx.xx.xx.

Then maybe you can just be glad that VPN is working 8)

Central gateway has rules in-place of the implied rules for the traffic from DAIP gateway/s or is mgmt traffic via VPN?

Yes, rules exists for the management ports like cpd, fw_log, cpd_amon etc.  VPN is working fine, logs are sent to the management. Only the state of the appliance is not shown as connected and the state of the VPN tunnel is shown as down in SmartviewMonitor.

Are there any requirements if the appliance will be installed behind another NAT-device ? 

@Chris_Atkinson my question again.... we had a DAIP appliance behind a NAT device, only NAT no firewall. Will it be possible to get these appliance to the green state meaning "connected" in Smartconsole view ?

I've sought some feedback on your behalf (in the absence of a corresponding SK etc) and will update you accordingly.