https://community.cisco.com/t5/network-security/asa-9-16-to-azure-s2s-using-ikv2-vti-bgp-not-working/m-p/4830094#M1100234 <P>Sorry i must have deleted the bgp config when i posted it here :</P><P>router bgp 65000<BR />bgp log-neighbor-changes<BR />bgp graceful-restart<BR />address-family ipv4 unicast<BR />neighbor 172.16.0.254 remote-as 65515<BR />neighbor 172.16.0.254 ebgp-multihop 255<BR />neighbor 172.16.0.254 activate<BR />network 192.168.44.0<BR />network 192.168.100.0 mask 255.255.255.252<BR />no auto-summary<BR />no synchronization<BR />exit-address-family</P><P>BGP on both sides</P><P>&nbsp;</P> Sun, 07 May 2023 16:38:59 GMT machine23 2023-05-07T16:38:59Z https://community.cisco.com/t5/network-security/asa-9-16-to-azure-s2s-using-ikv2-vti-bgp-not-working/m-p/4830067#M1100232 <P>Hi All ,&nbsp;</P><P>Have been at it for a long time&nbsp; ! The connection wont establish <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P><P>Attched is the config applied on the ASA which is generated on Azure*</P><P>Configuration of the ASA -:</P><P>Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)<BR />:<BR />ASA Version 9.16(3)23<BR />!<BR />hostname<BR />domain-name **********</P><P>interface GigabitEthernet1/1<BR />nameif Inside<BR />security-level 100<BR />ip address 192.168.44.1 255.255.254.0<BR />!</P><P>!<BR />interface GigabitEthernet1/8.792<BR />vlan 792<BR />nameif Outside<BR />security-level 0<BR />ip address 184.55.56.44 255.255.255.224<BR />!</P><P>interface BVI1<BR />no nameif<BR />no security-level<BR />no ip address<BR />!<BR />interface Tunnel1<BR />nameif AZURE<BR />ip address 192.168.100.1 255.255.255.252<BR />tunnel source interface Outside<BR />tunnel destination 51.142.82.44<BR />tunnel mode ipsec ipv4<BR />tunnel protection ipsec profile AZURE-PROPOSAL<BR />!</P><P><BR />route Outside 0.0.0.0 0.0.0.0 x.x.x.23 1<BR />route LINK 10.20.20.0 255.255.252.0 1.1.1.2 1<BR />route Outside AZURE-PUBLIC IP 255.255.255.255 x.x.x.23 1<BR />route AZURE 172.16.0.254 255.255.255.255 192.168.100.2</P><P>&nbsp;</P><P><BR />group-policy AZURE-PUBLIC IP internal<BR />group-policy AZURE-PUBLIC IP attributes<BR />vpn-tunnel-protocol ikev2</P><P>group-policy AZURE internal<BR />group-policy AZURE attributes<BR />vpn-tunnel-protocol ikev2</P><P><BR />tunnel-group AZURE-PUBLIC IP type ipsec-l2l<BR />tunnel-group AZURE-PUBLIC IP general-attributes<BR />default-group-policy AZURE-PUBLIC IP<BR />tunnel-group AZURE-PUBLIC IP ipsec-attributes<BR />isakmp keepalive disable<BR />ikev2 remote-authentication pre-shared-key *****<BR />ikev2 local-authentication pre-shared-key *****<BR />no tunnel-group-map enable peer-ip<BR />tunnel-group-map default-group AZURE-PUBLIC IP<BR />!<BR />class-map inspection_default<BR />match default-inspection-traffic</P><P>On Azure Local Network Gateway -</P><P>- BGP Enabled&nbsp;</P><P>-Uses Default IPsec/Ike policy</P><P>&nbsp;</P><P>If anyones got any pointers please let me know&nbsp;</P><P>&nbsp;</P><P>Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><DIV class=""><BR /><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV></DIV><DIV class=""><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV> Sun, 07 May 2023 16:06:33 GMT https://community.cisco.com/t5/network-security/asa-9-16-to-azure-s2s-using-ikv2-vti-bgp-not-working/m-p/4830067#M1100232 machine23 2023-05-07T16:06:33Z https://community.cisco.com/t5/network-security/asa-9-16-to-azure-s2s-using-ikv2-vti-bgp-not-working/m-p/4830088#M1100233 <P>I dont get it one side use bgp and other not ?</P> Sun, 07 May 2023 16:17:18 GMT https://community.cisco.com/t5/network-security/asa-9-16-to-azure-s2s-using-ikv2-vti-bgp-not-working/m-p/4830088#M1100233 MHM Cisco World 2023-05-07T16:17:18Z https://community.cisco.com/t5/network-security/asa-9-16-to-azure-s2s-using-ikv2-vti-bgp-not-working/m-p/4830094#M1100234 <P>Sorry i must have deleted the bgp config when i posted it here :</P><P>router bgp 65000<BR />bgp log-neighbor-changes<BR />bgp graceful-restart<BR />address-family ipv4 unicast<BR />neighbor 172.16.0.254 remote-as 65515<BR />neighbor 172.16.0.254 ebgp-multihop 255<BR />neighbor 172.16.0.254 activate<BR />network 192.168.44.0<BR />network 192.168.100.0 mask 255.255.255.252<BR />no auto-summary<BR />no synchronization<BR />exit-address-family</P><P>BGP on both sides</P><P>&nbsp;</P> Sun, 07 May 2023 16:38:59 GMT https://community.cisco.com/t5/network-security/asa-9-16-to-azure-s2s-using-ikv2-vti-bgp-not-working/m-p/4830094#M1100234 machine23 2023-05-07T16:38:59Z https://community.cisco.com/t5/network-security/asa-9-16-to-azure-s2s-using-ikv2-vti-bgp-not-working/m-p/4830098#M1100235 <P>So you run bgp over vti? If yes then why you don't use vti ip as neighbor??&nbsp;</P> Sun, 07 May 2023 16:51:24 GMT https://community.cisco.com/t5/network-security/asa-9-16-to-azure-s2s-using-ikv2-vti-bgp-not-working/m-p/4830098#M1100235 MHM Cisco World 2023-05-07T16:51:24Z https://community.cisco.com/t5/network-security/asa-9-16-to-azure-s2s-using-ikv2-vti-bgp-not-working/m-p/4831531#M1100268 <P>Hi the issue was the following&nbsp;</P><P>1 - the azure generated configuration had some errors on the networks for the bgp&nbsp;</P><P>2- my Asa does not support DH 2 as it’s insecure , so created a custom policy on azure side and connection is up !</P><P>thanks Cisco world for trying to solve.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 09 May 2023 07:26:32 GMT https://community.cisco.com/t5/network-security/asa-9-16-to-azure-s2s-using-ikv2-vti-bgp-not-working/m-p/4831531#M1100268 machine23 2023-05-09T07:26:32Z