The tunnels between AZURE and Cisco ASA stopped working.

Vasiliy P — Thu, 27 Feb 2025 11:16:12 GMT

Hello, I ask for help in solving the following problem. As of today, the tunnels between AZURE and CISCO ASA stopped working. There were no problems until now. I am attaching the CISCO ASA config

!
hostname I-FW1
domain-name magvatech.com
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
!
license smart
feature tier standard
names

!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Ethernet1/1
no switchport
no nameif
no security-level
no ip address
!
interface Ethernet1/1.201
description ANYCONNECT
vlan 201
nameif OUTSIDE-ANYCONNECT
security-level 0
ip address 95.70.236.225 255.255.255.254
!
interface Ethernet1/1.202
description MVTEUCLOUD
vlan 202
nameif MVTEUCLOUD
security-level 0
ip address 95.70.236.227 255.255.255.254
!
interface Ethernet1/1.203
description MVTBRCLOUD
vlan 203
nameif MVTBRCLOUD
security-level 0
ip address 95.70.236.229 255.255.255.254
!
interface Ethernet1/1.204
description FCMEUCLOUD
vlan 204
nameif FCMEUCLOUD
security-level 0
ip address 95.70.236.231 255.255.255.254
!
interface Ethernet1/1.205
description TESCLOUD
vlan 205
nameif TESCLOUD
security-level 0
ip address 95.70.236.233 255.255.255.254
!
interface Ethernet1/2
no switchport
no nameif
no security-level
no ip address
!
interface Ethernet1/2.102
vlan 102
nameif V102_OSPF-I-FW1
security-level 100
ip address 10.254.1.14 255.255.255.252
ospf network point-to-point non-broadcast
!
interface Ethernet1/3
no switchport
nameif INSIDE-LOC-LAN
security-level 100
ip address 10.17.1.253 255.255.252.0

!
interface Tunnel2
nameif MVTEU-I-FW1
ip address 10.70.200.1 255.255.255.252
tunnel source interface MVTEUCLOUD
tunnel destination 20.217.184.175
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE-PROPOSAL
!
interface Tunnel3
nameif MVTBR-I-FW1
ip address 10.70.201.1 255.255.255.252
tunnel source interface MVTBRCLOUD
tunnel destination 20.226.120.230
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE-PROPOSAL
!
interface Tunnel4
nameif FCMEU-I-FW1
ip address 10.70.202.1 255.255.255.252
tunnel source interface FCMEUCLOUD
tunnel destination 52.174.183.101
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE-PROPOSAL
!
interface Tunnel5
nameif TES-I-FW1
ip address 192.168.88.1 255.255.255.252
tunnel source interface TESCLOUD
tunnel destination 52.174.122.149
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE-PROPOSAL
!
ftp mode passive
dns domain-lookup OUTSIDE-ANYCONNECT
dns domain-lookup MVTEUCLOUD
dns domain-lookup FCMEUCLOUD
dns domain-lookup TESCLOUD
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 10.14.19.4
domain-name magvatech.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
no object-group-search access-control
object network RAVPN
subnet 10.17.16.0 255.255.255.0
object network LAN_V10
subnet 10.17.0.0 255.255.252.0
object network I-FW1
host 10.17.1.253
description I-FW1-LAN
object network MVTEUCLOUD
subnet 10.14.0.0 255.255.0.0
description MVTEUCLOUD-LAN
object network POOL-ISP-I
subnet 10.17.17.0 255.255.255.0

pager lines 24
logging enable
logging trap warnings
logging asdm debugging
logging host INSIDE-LOC-LAN 10.17.50.208 6/1025
mtu OUTSIDE-ANYCONNECT 1500
mtu MVTEUCLOUD 1500
mtu MVTBRCLOUD 1500
mtu FCMEUCLOUD 1500
mtu TESCLOUD 1500
mtu V102_OSPF-I-FW1 1500
mtu INSIDE-LOC-LAN 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE-LOC-LAN
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (INSIDE-LOC-LAN,OUTSIDE-ANYCONNECT) source static LAN_V10 LAN_V10 destination static RAVPN RAVPN
nat (OUTSIDE-ANYCONNECT,OUTSIDE-ANYCONNECT) source dynamic DM_INLINE_NETWORK_1 interface
nat (OUTSIDE-ANYCONNECT,OUTSIDE-ANYCONNECT) source dynamic POOL-ISP-I interface
router bgp 65000
bgp log-neighbor-changes
bgp graceful-restart
address-family ipv4 unicast
neighbor 10.13.16.158 remote-as 65525
neighbor 10.13.16.158 ebgp-multihop 255
neighbor 10.13.16.158 activate
neighbor 10.15.16.158 remote-as 65515
neighbor 10.15.16.158 ebgp-multihop 255
neighbor 10.15.16.158 activate
neighbor 10.14.18.158 remote-as 65570
neighbor 10.14.18.158 ebgp-multihop 255
neighbor 10.14.18.158 activate
neighbor 192.168.77.254 remote-as 65516
neighbor 192.168.77.254 ebgp-multihop 255
neighbor 192.168.77.254 activate
network 10.13.0.0
network 10.14.0.0
network 172.16.0.0
network 10.17.0.0 mask 255.255.252.0
network 172.17.0.0
network 172.18.0.0
network 10.17.16.0 mask 255.255.255.0
network 10.17.50.0 mask 255.255.255.0
network 192.168.88.0 mask 255.255.255.252
network 10.17.101.0 mask 255.255.255.252
network 10.70.200.0 mask 255.255.255.252
network 10.70.201.0 mask 255.255.255.252
network 10.70.202.0 mask 255.255.255.252
network 10.254.0.64 mask 255.255.255.252
network 10.254.0.160 mask 255.255.255.252
no auto-summary
no synchronization
exit-address-family
!
router ospf 1
network 10.13.0.0 255.255.0.0 area 1
network 10.14.0.0 255.255.0.0 area 1
network 10.15.0.0 255.255.0.0 area 1
network 10.17.0.0 255.255.252.0 area 1
network 10.254.1.12 255.255.255.252 area 1
neighbor 10.254.1.13 interface V102_OSPF-I-FW1
log-adj-changes
!
route OUTSIDE-ANYCONNECT 0.0.0.0 0.0.0.0 95.70.236.224 1
route MVTBRCLOUD 0.0.0.0 0.0.0.0 95.70.236.228 2
route MVTEUCLOUD 0.0.0.0 0.0.0.0 95.70.236.226 3
route TESCLOUD 0.0.0.0 0.0.0.0 95.70.236.232 4
route FCMEUCLOUD 0.0.0.0 0.0.0.0 95.70.236.230 5
route FCMEU-I-FW1 10.13.16.158 255.255.255.255 10.70.202.2 1
route INSIDE-LOC-LAN 10.14.0.0 255.255.0.0 10.17.1.254 1
route MVTEU-I-FW1 10.14.18.158 255.255.255.255 10.70.200.2 1
route MVTEU-I-FW1 10.14.19.4 255.255.255.255 10.70.200.2 1
route MVTBR-I-FW1 10.15.16.158 255.255.255.255 10.70.201.2 1
route INSIDE-LOC-LAN 10.17.15.0 255.255.255.0 10.17.1.254 1
route INSIDE-LOC-LAN 10.17.16.0 255.255.255.0 10.17.1.254 1
route INSIDE-LOC-LAN 10.17.18.0 255.255.255.0 10.17.1.254 1
route INSIDE-LOC-LAN 10.17.19.0 255.255.255.0 10.17.1.254 1
route INSIDE-LOC-LAN 10.17.20.0 255.255.255.0 10.17.1.254 1
route INSIDE-LOC-LAN 10.17.50.0 255.255.255.0 10.17.1.254 1
route INSIDE-LOC-LAN 10.254.0.64 255.255.255.252 10.17.1.254 1
route INSIDE-LOC-LAN 172.16.0.0 255.255.0.0 10.17.1.254 1
route INSIDE-LOC-LAN 172.17.0.0 255.255.0.0 10.17.1.254 1
route INSIDE-LOC-LAN 172.18.0.0 255.255.0.0 10.17.1.254 1
route TES-I-FW1 192.168.77.254 255.255.255.255 192.168.88.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
ldap attribute-map VPN_USERS
map-name memberOf IETF-Radius-Class
map-value memberOf memberOf CN=VPN_USERS2,OU=MVT_GROUPS,DC=mvt,DC=com
aaa-server LDAP protocol ldap
aaa-server LDAP (INSIDE-LOC-LAN) host 10.14.1.4
ldap-base-dn DC=mvt,DC=com
ldap-scope subtree
ldap-naming-attribute SamAccountName
ldap-login-password *****
ldap-login-dn CN=Timur Dzhu,OU=MVT,OU=MVT_USERS,DC=mvt,DC=com
server-type microsoft
aaa-server Radius-T protocol radius
aaa-server Radius-T (INSIDE-LOC-LAN) host 172.16.7.148
key *****
authentication-port 1812
accounting-port 1813
radius-common-pw *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication login-history
http server enable
http 10.17.0.0 255.255.252.0 management
http 10.17.50.0 255.255.255.0 management
http 172.17.0.0 255.255.0.0 INSIDE-LOC-LAN
http 172.16.0.0 255.255.0.0 INSIDE-LOC-LAN
http 10.17.0.0 255.255.0.0 INSIDE-LOC-LAN
http 10.17.0.0 255.255.0.0 V102_OSPF-I-FW1
snmp-server host INSIDE-LOC-LAN 10.17.50.207 community ***** version 2c
snmp-server host INSIDE-LOC-LAN 172.17.5.207 community ***** version 2c
snmp-server host INSIDE-LOC-LAN 172.16.5.207 community ***** version 2c
snmp-server host INSIDE-LOC-LAN 172.18.5.207 community ***** version 2c
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-256 sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-256 sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-256 sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption aes
protocol esp integrity sha-256 sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-256 sha-1
crypto ipsec profile AZURE-PROPOSAL
set ikev2 ipsec-proposal AZURE-PROPOSAL
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256
crypto map ANYCONNECT_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map ANYCONNECT_map interface OUTSIDE-ANYCONNECT
crypto map MVTEUCLOUD_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map MVTEUCLOUD_map interface MVTEUCLOUD
crypto map MVTBRCLOUD_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map LOC-LAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map LOC-LAN_map interface INSIDE-LOC-LAN
crypto map PEER_I-R1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca permit-weak-crypto
crypto ca trustpoint connect-i_2024v4
enrollment terminal
fqdn connect-i.magvatech.com
subject-name CN=connect-i.magvatech.com,O=Magvatech,C=TR,St=Izmir
keypair connect-i_2024v4
crl configure
crypto ca trustpoint Digisert
enrollment terminal
crl configure
crypto ca trustpoint Digisert2
enrollment terminal
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn connect-i.magvatech.com
subject-name CN=connect-i.magvatech.com,O=Magvatech,C=TR,St=Gaziemir,L=Konak
keypair connect-i_2025
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
no validation-usage
crl configure
crypto ca trustpool policy
auto-import

crypto ikev2 policy 10
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 14 5
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes-256 aes-192 aes
integrity sha512 sha384 sha256 sha
group 14 5
prf sha512 sha384 sha256 sha
lifetime seconds 86400
crypto ikev2 enable MVTEUCLOUD
crypto ikev2 enable MVTBRCLOUD
crypto ikev2 enable FCMEUCLOUD
crypto ikev2 enable TESCLOUD

webvpn
group-policy GroupPolicy_Connect-I_ISP internal
group-policy GroupPolicy_Connect-I_ISP attributes
dns-server value 10.14.1.4 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
group-policy AZURE internal
group-policy AZURE attributes

tunnel-group DefaultWEBVPNGroup general-attributes

default-group-policy AZURE
tunnel-group 52.174.183.101 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 20.226.120.230 type ipsec-l2l
tunnel-group 20.226.120.230 general-attributes
default-group-policy AZURE
tunnel-group 20.226.120.230 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 20.217.184.175 type ipsec-l2l
tunnel-group 20.217.184.175 general-attributes
default-group-policy AZURE
tunnel-group 20.217.184.175 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 52.174.122.149 type ipsec-l2l
tunnel-group 52.174.122.149 general-attributes
default-group-policy AZURE
tunnel-group 52.174.122.149 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Re: The tunnels between AZURE and Cisco ASA stopped working.

marce1000 — Thu, 27 Feb 2025 14:02:16 GMT

- Check the logs on the ASA ,

Re: The tunnels between AZURE and Cisco ASA stopped working.

Vasiliy P — Fri, 28 Feb 2025 05:23:17 GMT

The problem was solved. The interface in AZURE froze. After updating it and switching, everything started working.
Thank you all very much!

topic Re: The tunnels between AZURE and Cisco ASA stopped working. in VPN

The tunnels between AZURE and Cisco ASA stopped working.

Re: The tunnels between AZURE and Cisco ASA stopped working.

Re: The tunnels between AZURE and Cisco ASA stopped working.