Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
1
Helpful
4
Replies

ASA(9.16) to Azure S2S ( Using IKV2+VTI+BGP) Not working

machine23
Level 1
Level 1

‎05-07-2023 09:04 AM - edited ‎05-07-2023 09:06 AM

Hi All , 

Have been at it for a long time  ! The connection wont establish

Attched is the config applied on the ASA which is generated on Azure*

Configuration of the ASA -:

Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.16(3)23
!
hostname
domain-name **********

interface GigabitEthernet1/1
nameif Inside
security-level 100
ip address 192.168.44.1 255.255.254.0
!

!
interface GigabitEthernet1/8.792
vlan 792
nameif Outside
security-level 0
ip address 184.55.56.44 255.255.255.224
!

interface BVI1
no nameif
no security-level
no ip address
!
interface Tunnel1
nameif AZURE
ip address 192.168.100.1 255.255.255.252
tunnel source interface Outside
tunnel destination 51.142.82.44
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZURE-PROPOSAL
!


route Outside 0.0.0.0 0.0.0.0 x.x.x.23 1
route LINK 10.20.20.0 255.255.252.0 1.1.1.2 1
route Outside AZURE-PUBLIC IP 255.255.255.255 x.x.x.23 1
route AZURE 172.16.0.254 255.255.255.255 192.168.100.2

 


group-policy AZURE-PUBLIC IP internal
group-policy AZURE-PUBLIC IP attributes
vpn-tunnel-protocol ikev2

group-policy AZURE internal
group-policy AZURE attributes
vpn-tunnel-protocol ikev2


tunnel-group AZURE-PUBLIC IP type ipsec-l2l
tunnel-group AZURE-PUBLIC IP general-attributes
default-group-policy AZURE-PUBLIC IP
tunnel-group AZURE-PUBLIC IP ipsec-attributes
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
no tunnel-group-map enable peer-ip
tunnel-group-map default-group AZURE-PUBLIC IP
!
class-map inspection_default
match default-inspection-traffic

On Azure Local Network Gateway -

- BGP Enabled 

-Uses Default IPsec/Ike policy

 

If anyones got any pointers please let me know 

 

Thanks


 
 
Preview file
5 KB
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎05-07-2023 09:17 AM

I dont get it one side use bgp and other not ?

0 Helpful

machine23
Level 1
Level 1
In response to MHM Cisco World

‎05-07-2023 09:38 AM

Sorry i must have deleted the bgp config when i posted it here :

router bgp 65000
bgp log-neighbor-changes
bgp graceful-restart
address-family ipv4 unicast
neighbor 172.16.0.254 remote-as 65515
neighbor 172.16.0.254 ebgp-multihop 255
neighbor 172.16.0.254 activate
network 192.168.44.0
network 192.168.100.0 mask 255.255.255.252
no auto-summary
no synchronization
exit-address-family

BGP on both sides

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to machine23

‎05-07-2023 09:51 AM

So you run bgp over vti? If yes then why you don't use vti ip as neighbor?? 

0 Helpful

machine23
Level 1
Level 1
In response to MHM Cisco World

‎05-09-2023 12:26 AM

Hi the issue was the following 

1 - the azure generated configuration had some errors on the networks for the bgp 

2- my Asa does not support DH 2 as it’s insecure , so created a custom policy on azure side and connection is up !

thanks Cisco world for trying to solve.

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card