Re: Cisco ASA 9.9 IKEv2 to Microsoft Azure

Eric Snijders · ‎08-25-2018

Hi all,

I followed exactly this article: https://docs.microsoft.com/nl-nl/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa but my tunnel is not working.

It seems as the problem is at Phase 1 already, but i can't find the problem.

Here is the output of "debug crypto ikev2 platform 250":

CONNECTION STATUS: DOWN... peer: 104.X.X.X:500, phase1_id: 104.X.X.X
IKEv2-PLAT-4: (236): IKEv2 session deregistered from session manager. Reason: 19
IKEv2-PLAT-4: (236): session manager killed ikev2 tunnel. Reason: Peer Reconnected
IKEv2-PLAT-4: (236): Deleted associated IKE flow: Internet, 194.X.X.X:62465 <-> 104.X.X.X:62465
IKEv2-PLAT-4: (236): PSH cleanup
IKEv2-PLAT-7: Active ike sa request deleted
IKEv2-PLAT-7: Decrement count for incoming active
IKEv2-PLAT-4: (322): Encrypt success status returned via ipc 1
IKEv2-PLAT-5: (322): SENT PKT [IKE_AUTH] [194.X.X.X]:500->[104.X.X.X]:500 InitSPI=0x20618498d56bf500 RespSPI=0xe0a361abf2ea3f39 MID=00000001
IKEv2-PLAT-7: New ikev2 sa request activated
IKEv2-PLAT-7: Decrement count for incoming negotiating
IKEv2-PLAT-4:
CONNECTION STATUS: UP... peer: 104.X.X.X:500, phase1_id: 104.X.X.X
IKEv2-PLAT-4: (322): connection auth hdl set to 1834
IKEv2-PLAT-4: (322): AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PLAT-4: (322): idle timeout set to: 30
IKEv2-PLAT-4: (322): session timeout set to: 0
IKEv2-PLAT-4: (322): group policy set to DfltGrpPolicy
IKEv2-PLAT-4: (322): class attr set
IKEv2-PLAT-4: (322): tunnel protocol set to: 0x5c
IKEv2-PLAT-4: (322): IPv4 filter ID not configured for connection
IKEv2-PLAT-4: (322): group lock set to: none
IKEv2-PLAT-4: (322): IPv6 filter ID not configured for connection
IKEv2-PLAT-4: (322): connection attributes set valid to TRUE
IKEv2-PLAT-4: (322): Successfully retrieved conn attrs
IKEv2-PLAT-4: (322): Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-4: (322): connection auth hdl set to -1
IKEv2-PLAT-4:
CONNECTION STATUS: REGISTERED... peer: 104.X.X.X:500, phase1_id: 104.X.X.X
IKEv2-PLAT-4: mib_index set to: 501
IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [84.X.X.X]:63220->[194.X.X.X]:4500 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000047
IKEv2-PLAT-4: (84): Decrypt success status returned via ipc 1
IKEv2-PLAT-4: (84): Encrypt success status returned via ipc 1
IKEv2-PLAT-5: (84): SENT PKT [INFORMATIONAL] [194.X.X.X]:4500->[84.X.X.X]:63220 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000047
IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [84.105.58.240]:54109->[194.X.X.X]:4500 InitSPI=0x0d0808d78596ff96 RespSPI=0x6867d1943f56f4cc MID=0000002a
IKEv2-PLAT-4: (328): Decrypt success status returned via ipc 1
IKEv2-PLAT-4: (328): Encrypt success status returned via ipc 1
IKEv2-PLAT-5: (328): SENT PKT [INFORMATIONAL] [194.X.X.X]:4500->[84.105.58.240]:54109 InitSPI=0x0d0808d78596ff96 RespSPI=0x6867d1943f56f4cc MID=0000002a
IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [84.X.X.X]:63220->[194.X.X.X]:4500 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000048
IKEv2-PLAT-4: (84): Decrypt success status returned via ipc 1
IKEv2-PLAT-4: (84): Encrypt success status returned via ipc 1
IKEv2-PLAT-5: (84): SENT PKT [INFORMATIONAL] [194.X.X.X]:4500->[84.X.X.X]:63220 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000048
IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [84.105.58.240]:54109->[194.X.X.X]:4500 InitSPI=0x0d0808d78596ff96 RespSPI=0x6867d1943f56f4cc MID=0000002b
IKEv2-PLAT-4: (328): Decrypt success status returned via ipc 1
IKEv2-PLAT-4: (328): Encrypt success status returned via ipc 1
IKEv2-PLAT-5: (328): SENT PKT [INFORMATIONAL] [194.X.X.X]:4500->[84.105.58.240]:54109 InitSPI=0x0d0808d78596ff96 RespSPI=0x6867d1943f56f4cc MID=0000002b
IKEv2-PLAT-5: RECV PKT [IKE_SA_INIT] [104.X.X.X]:500->[194.X.X.X]:500 InitSPI=0x4be6e27668dd7dbc RespSPI=0x0000000000000000 MID=00000000
IKEv2-PLAT-4: Process custom VID payloads
IKEv2-PLAT-7: New ikev2 sa request admitted
IKEv2-PLAT-7: Incrementing incoming negotiating sa count by one
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: (323): my auth method set to: 0
Adding trusted issuer hash to send. Hash:
     17 9a 00 9b e8 c9 e7 a4 07 6a 47 f4 ef ef 30 fb
     45 c3 78 09
Adding trusted issuer hash to send. Hash:
     6d b7 b6 82 b6 65 ca 12 51 8e 64 69 c5 b0 5a 0e
     b2 4b 8b b7
Adding trusted issuer hash to send. Hash:
     75 b1 bc dd db be 95 b8 7a 80 9c b6 99 a1 44 d2
     1b 74 eb 3d
Adding trusted issuer hash to send. Hash:
     4d d6 7b 34 4a 29 43 5c dc 6e bd ef c0 e4 e1 a3
     77 2a ec a0
IKEv2-PLAT-5: (323): SENT PKT [IKE_SA_INIT] [194.X.X.X]:500->[104.X.X.X]:500 InitSPI=0x4be6e27668dd7dbc RespSPI=0x31395cf3cf8433b8 MID=00000000
IKEv2-PLAT-5: RECV PKT [IKE_AUTH] [104.X.X.X]:500->[194.X.X.X]:500 InitSPI=0x4be6e27668dd7dbc RespSPI=0x31395cf3cf8433b8 MID=00000001
IKEv2-PLAT-4: (323): Decrypt success status returned via ipc 1
IKEv2-PLAT-4: (323): peer auth method set to: 2
IKEv2-PLAT-4: (323): Site to Site connection detected
IKEv2-PLAT-4: attempting to find tunnel group for ID: 104.X.X.X
IKEv2-PLAT-4: mapped to tunnel group 104.X.X.X using phase 1 ID
IKEv2-PLAT-4: tg_name set to: 104.X.X.X
IKEv2-PLAT-4: tunn grp type set to: L2L
IKEv2-PLAT-4: (323): my auth method set to: 2
IKEv2-PLAT-4: my_auth_method = 2
IKEv2-PLAT-4: supported_peers_auth_method = 2
IKEv2-PLAT-4: (323): P1 ID = 255
IKEv2-PLAT-4: (323): Completed authentication for connection
IKEv2-PLAT-4: Build config mode reply: no request stored
IKEv2-PLAT-4: checking access status for src=0.0.0.0 dst 0.0.0.0 s_port = 0 d_port = 0, proto = 0
IKEv2-PLAT-4: (323): Crypto Map: No proxy match on map AZURE-LSP-MAP seq 1
IKEv2-PLAT-4: (323): Crypto map: Skipping dynamic map Internet_dyn_map sequence 65535: cannot match peerless map when peer found in previous map entry.IKEv2-PLAT-4:
CONNECTION STATUS: DOWN... peer: 104.X.X.X:500, phase1_id: 104.X.X.X
IKEv2-PLAT-4: (322): IKEv2 session deregistered from session manager. Reason: 19
IKEv2-PLAT-4: (322): session manager killed ikev2 tunnel. Reason: Peer Reconnected
IKEv2-PLAT-4: (322): Deleted associated IKE flow: Internet, 194.X.X.X:62465 <-> 104.X.X.X:62465
IKEv2-PLAT-4: (322): PSH cleanup
IKEv2-PLAT-7: Active ike sa request deleted
IKEv2-PLAT-7: Decrement count for incoming active
IKEv2-PLAT-4: (323): Encrypt success status returned via ipc 1
IKEv2-PLAT-5: (323): SENT PKT [IKE_AUTH] [194.X.X.X]:500->[104.X.X.X]:500 InitSPI=0x4be6e27668dd7dbc RespSPI=0x31395cf3cf8433b8 MID=00000001
IKEv2-PLAT-7: New ikev2 sa request activated
IKEv2-PLAT-7: Decrement count for incoming negotiating
IKEv2-PLAT-4:
CONNECTION STATUS: UP... peer: 104.X.X.X:500, phase1_id: 104.X.X.X
IKEv2-PLAT-4: (323): connection auth hdl set to 1835
IKEv2-PLAT-4: (323): AAA conn attribute retrieval successfully queued for register session request.
IKEv2-PLAT-4: (323): idle timeout set to: 30
IKEv2-PLAT-4: (323): session timeout set to: 0
IKEv2-PLAT-4: (323): group policy set to DfltGrpPolicy
IKEv2-PLAT-4: (323): class attr set
IKEv2-PLAT-4: (323): tunnel protocol set to: 0x5c
IKEv2-PLAT-4: (323): IPv4 filter ID not configured for connection
IKEv2-PLAT-4: (323): group lock set to: none
IKEv2-PLAT-4: (323): IPv6 filter ID not configured for connection
IKEv2-PLAT-4: (323): connection attributes set valid to TRUE
IKEv2-PLAT-4: (323): Successfully retrieved conn attrs
IKEv2-PLAT-4: (323): Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-4: (323): connection auth hdl set to -1
IKEv2-PLAT-4:
CONNECTION STATUS: REGISTERED... peer: 104.X.X.X:500, phase1_id: 104.X.X.X
IKEv2-PLAT-4: mib_index set to: 501
IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [84.X.X.X]:63220->[194.X.X.X]:4500 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000049
IKEv2-PLAT-4: (84): Decrypt success status returned via ipc 1
IKEv2-PLAT-4: (84): Encrypt success status returned via ipc 1
IKEv2-PLAT-5: (84): SENT PKT [INFORMATIONAL] [194.X.X.X]:4500->[84.X.X.X]:63220 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000049
undebug all

I don't get these lines:

IKEv2-PLAT-4: checking access status for src=0.0.0.0 dst 0.0.0.0 s_port = 0 d_port = 0, proto = 0
IKEv2-PLAT-4: (323): Crypto Map: No proxy match on map AZURE-LSP-MAP seq 1

Why am i seeing "src=0.0.0.0" and "dst 0.0.0.0" there?

Anyone has an idea how to solve this?

Please be aware that the IP starting with 84.x.x.x in this case is from AnyConnect, that's working fine. It's about the 104.x.x.x address and 194.x.x.x address

Rahul Govindan · ‎08-25-2018

In the MS document you linked, it is stated:

The sample configuration connects a Cisco ASA device to an Azure route-based VPN gateway. The connection uses a custom IPsec/IKE policy with the UsePolicyBasedTrafficSelectors option, as described in this article.

The sample requires that ASA devices use the IKEv2 policy with access-list-based configurations, not VTI-based. Consult your VPN device vendor specifications to verify that the IKEv2 policy is supported on your on-premises VPN devices.

When you use Route based VPN, the crypto proxies are "any to any". With Policy based, the proxies are specific networks. Try setting your Azure setup as per this document:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

Another reference document is:

https://community.cisco.com/t5/security-blogs/site-to-site-vpn-between-cisco-asa-and-microsoft-azure-virtual/ba-p/3099317

Ajay Saini · ‎08-26-2018

Hello,

Azure by default uses route based vpn.

If on ASA, you are running policy based vpn and not route based(VTI based), you can use powershell to configure policy based vpn on Azure by using below link:

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

We had similar issues and we got sorted this out by configuring policy based parameter on AZure using Powershell CLI.

One more thing - define any any ACL in crypto ACL and use VPN filter to filter the traffic instead of specifying multiple ACL under crypto MAP.

Regards,

AJ