08-25-2018 02:52 AM - edited 02-21-2020 08:09 AM
Hi all,
I followed exactly this article: https://docs.microsoft.com/nl-nl/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa but my tunnel is not working.
It seems as the problem is at Phase 1 already, but i can't find the problem.
Here is the output of "debug crypto ikev2 platform 250":
CONNECTION STATUS: DOWN... peer: 104.X.X.X:500, phase1_id: 104.X.X.X IKEv2-PLAT-4: (236): IKEv2 session deregistered from session manager. Reason: 19 IKEv2-PLAT-4: (236): session manager killed ikev2 tunnel. Reason: Peer Reconnected IKEv2-PLAT-4: (236): Deleted associated IKE flow: Internet, 194.X.X.X:62465 <-> 104.X.X.X:62465 IKEv2-PLAT-4: (236): PSH cleanup IKEv2-PLAT-7: Active ike sa request deleted IKEv2-PLAT-7: Decrement count for incoming active IKEv2-PLAT-4: (322): Encrypt success status returned via ipc 1 IKEv2-PLAT-5: (322): SENT PKT [IKE_AUTH] [194.X.X.X]:500->[104.X.X.X]:500 InitSPI=0x20618498d56bf500 RespSPI=0xe0a361abf2ea3f39 MID=00000001 IKEv2-PLAT-7: New ikev2 sa request activated IKEv2-PLAT-7: Decrement count for incoming negotiating IKEv2-PLAT-4: CONNECTION STATUS: UP... peer: 104.X.X.X:500, phase1_id: 104.X.X.X IKEv2-PLAT-4: (322): connection auth hdl set to 1834 IKEv2-PLAT-4: (322): AAA conn attribute retrieval successfully queued for register session request. IKEv2-PLAT-4: (322): idle timeout set to: 30 IKEv2-PLAT-4: (322): session timeout set to: 0 IKEv2-PLAT-4: (322): group policy set to DfltGrpPolicy IKEv2-PLAT-4: (322): class attr set IKEv2-PLAT-4: (322): tunnel protocol set to: 0x5c IKEv2-PLAT-4: (322): IPv4 filter ID not configured for connection IKEv2-PLAT-4: (322): group lock set to: none IKEv2-PLAT-4: (322): IPv6 filter ID not configured for connection IKEv2-PLAT-4: (322): connection attributes set valid to TRUE IKEv2-PLAT-4: (322): Successfully retrieved conn attrs IKEv2-PLAT-4: (322): Session registration after conn attr retrieval PASSED, No error IKEv2-PLAT-4: (322): connection auth hdl set to -1 IKEv2-PLAT-4: CONNECTION STATUS: REGISTERED... peer: 104.X.X.X:500, phase1_id: 104.X.X.X IKEv2-PLAT-4: mib_index set to: 501 IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [84.X.X.X]:63220->[194.X.X.X]:4500 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000047 IKEv2-PLAT-4: (84): Decrypt success status returned via ipc 1 IKEv2-PLAT-4: (84): Encrypt success status returned via ipc 1 IKEv2-PLAT-5: (84): SENT PKT [INFORMATIONAL] [194.X.X.X]:4500->[84.X.X.X]:63220 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000047 IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [84.105.58.240]:54109->[194.X.X.X]:4500 InitSPI=0x0d0808d78596ff96 RespSPI=0x6867d1943f56f4cc MID=0000002a IKEv2-PLAT-4: (328): Decrypt success status returned via ipc 1 IKEv2-PLAT-4: (328): Encrypt success status returned via ipc 1 IKEv2-PLAT-5: (328): SENT PKT [INFORMATIONAL] [194.X.X.X]:4500->[84.105.58.240]:54109 InitSPI=0x0d0808d78596ff96 RespSPI=0x6867d1943f56f4cc MID=0000002a IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [84.X.X.X]:63220->[194.X.X.X]:4500 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000048 IKEv2-PLAT-4: (84): Decrypt success status returned via ipc 1 IKEv2-PLAT-4: (84): Encrypt success status returned via ipc 1 IKEv2-PLAT-5: (84): SENT PKT [INFORMATIONAL] [194.X.X.X]:4500->[84.X.X.X]:63220 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000048 IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [84.105.58.240]:54109->[194.X.X.X]:4500 InitSPI=0x0d0808d78596ff96 RespSPI=0x6867d1943f56f4cc MID=0000002b IKEv2-PLAT-4: (328): Decrypt success status returned via ipc 1 IKEv2-PLAT-4: (328): Encrypt success status returned via ipc 1 IKEv2-PLAT-5: (328): SENT PKT [INFORMATIONAL] [194.X.X.X]:4500->[84.105.58.240]:54109 InitSPI=0x0d0808d78596ff96 RespSPI=0x6867d1943f56f4cc MID=0000002b IKEv2-PLAT-5: RECV PKT [IKE_SA_INIT] [104.X.X.X]:500->[194.X.X.X]:500 InitSPI=0x4be6e27668dd7dbc RespSPI=0x0000000000000000 MID=00000000 IKEv2-PLAT-4: Process custom VID payloads IKEv2-PLAT-7: New ikev2 sa request admitted IKEv2-PLAT-7: Incrementing incoming negotiating sa count by one IKEv2-PLAT-7: INVALID PSH HANDLE IKEv2-PLAT-7: INVALID PSH HANDLE IKEv2-PLAT-4: (323): my auth method set to: 0 Adding trusted issuer hash to send. Hash: 17 9a 00 9b e8 c9 e7 a4 07 6a 47 f4 ef ef 30 fb 45 c3 78 09 Adding trusted issuer hash to send. Hash: 6d b7 b6 82 b6 65 ca 12 51 8e 64 69 c5 b0 5a 0e b2 4b 8b b7 Adding trusted issuer hash to send. Hash: 75 b1 bc dd db be 95 b8 7a 80 9c b6 99 a1 44 d2 1b 74 eb 3d Adding trusted issuer hash to send. Hash: 4d d6 7b 34 4a 29 43 5c dc 6e bd ef c0 e4 e1 a3 77 2a ec a0 IKEv2-PLAT-5: (323): SENT PKT [IKE_SA_INIT] [194.X.X.X]:500->[104.X.X.X]:500 InitSPI=0x4be6e27668dd7dbc RespSPI=0x31395cf3cf8433b8 MID=00000000 IKEv2-PLAT-5: RECV PKT [IKE_AUTH] [104.X.X.X]:500->[194.X.X.X]:500 InitSPI=0x4be6e27668dd7dbc RespSPI=0x31395cf3cf8433b8 MID=00000001 IKEv2-PLAT-4: (323): Decrypt success status returned via ipc 1 IKEv2-PLAT-4: (323): peer auth method set to: 2 IKEv2-PLAT-4: (323): Site to Site connection detected IKEv2-PLAT-4: attempting to find tunnel group for ID: 104.X.X.X IKEv2-PLAT-4: mapped to tunnel group 104.X.X.X using phase 1 ID IKEv2-PLAT-4: tg_name set to: 104.X.X.X IKEv2-PLAT-4: tunn grp type set to: L2L IKEv2-PLAT-4: (323): my auth method set to: 2 IKEv2-PLAT-4: my_auth_method = 2 IKEv2-PLAT-4: supported_peers_auth_method = 2 IKEv2-PLAT-4: (323): P1 ID = 255 IKEv2-PLAT-4: (323): Completed authentication for connection IKEv2-PLAT-4: Build config mode reply: no request stored IKEv2-PLAT-4: checking access status for src=0.0.0.0 dst 0.0.0.0 s_port = 0 d_port = 0, proto = 0 IKEv2-PLAT-4: (323): Crypto Map: No proxy match on map AZURE-LSP-MAP seq 1 IKEv2-PLAT-4: (323): Crypto map: Skipping dynamic map Internet_dyn_map sequence 65535: cannot match peerless map when peer found in previous map entry.IKEv2-PLAT-4: CONNECTION STATUS: DOWN... peer: 104.X.X.X:500, phase1_id: 104.X.X.X IKEv2-PLAT-4: (322): IKEv2 session deregistered from session manager. Reason: 19 IKEv2-PLAT-4: (322): session manager killed ikev2 tunnel. Reason: Peer Reconnected IKEv2-PLAT-4: (322): Deleted associated IKE flow: Internet, 194.X.X.X:62465 <-> 104.X.X.X:62465 IKEv2-PLAT-4: (322): PSH cleanup IKEv2-PLAT-7: Active ike sa request deleted IKEv2-PLAT-7: Decrement count for incoming active IKEv2-PLAT-4: (323): Encrypt success status returned via ipc 1 IKEv2-PLAT-5: (323): SENT PKT [IKE_AUTH] [194.X.X.X]:500->[104.X.X.X]:500 InitSPI=0x4be6e27668dd7dbc RespSPI=0x31395cf3cf8433b8 MID=00000001 IKEv2-PLAT-7: New ikev2 sa request activated IKEv2-PLAT-7: Decrement count for incoming negotiating IKEv2-PLAT-4: CONNECTION STATUS: UP... peer: 104.X.X.X:500, phase1_id: 104.X.X.X IKEv2-PLAT-4: (323): connection auth hdl set to 1835 IKEv2-PLAT-4: (323): AAA conn attribute retrieval successfully queued for register session request. IKEv2-PLAT-4: (323): idle timeout set to: 30 IKEv2-PLAT-4: (323): session timeout set to: 0 IKEv2-PLAT-4: (323): group policy set to DfltGrpPolicy IKEv2-PLAT-4: (323): class attr set IKEv2-PLAT-4: (323): tunnel protocol set to: 0x5c IKEv2-PLAT-4: (323): IPv4 filter ID not configured for connection IKEv2-PLAT-4: (323): group lock set to: none IKEv2-PLAT-4: (323): IPv6 filter ID not configured for connection IKEv2-PLAT-4: (323): connection attributes set valid to TRUE IKEv2-PLAT-4: (323): Successfully retrieved conn attrs IKEv2-PLAT-4: (323): Session registration after conn attr retrieval PASSED, No error IKEv2-PLAT-4: (323): connection auth hdl set to -1 IKEv2-PLAT-4: CONNECTION STATUS: REGISTERED... peer: 104.X.X.X:500, phase1_id: 104.X.X.X IKEv2-PLAT-4: mib_index set to: 501 IKEv2-PLAT-5: RECV PKT [INFORMATIONAL] [84.X.X.X]:63220->[194.X.X.X]:4500 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000049 IKEv2-PLAT-4: (84): Decrypt success status returned via ipc 1 IKEv2-PLAT-4: (84): Encrypt success status returned via ipc 1 IKEv2-PLAT-5: (84): SENT PKT [INFORMATIONAL] [194.X.X.X]:4500->[84.X.X.X]:63220 InitSPI=0x39926fd98abbec5d RespSPI=0x8bb5192cb4642889 MID=00000049 undebug all
I don't get these lines:
IKEv2-PLAT-4: checking access status for src=0.0.0.0 dst 0.0.0.0 s_port = 0 d_port = 0, proto = 0 IKEv2-PLAT-4: (323): Crypto Map: No proxy match on map AZURE-LSP-MAP seq 1
Why am i seeing "src=0.0.0.0" and "dst 0.0.0.0" there?
Anyone has an idea how to solve this?
Please be aware that the IP starting with 84.x.x.x in this case is from AnyConnect, that's working fine. It's about the 104.x.x.x address and 194.x.x.x address
08-25-2018 08:24 AM
In the MS document you linked, it is stated:
The sample configuration connects a Cisco ASA device to an Azure route-based VPN gateway. The connection uses a custom IPsec/IKE policy with the UsePolicyBasedTrafficSelectors option, as described in this article.
The sample requires that ASA devices use the IKEv2 policy with access-list-based configurations, not VTI-based. Consult your VPN device vendor specifications to verify that the IKEv2 policy is supported on your on-premises VPN devices.
When you use Route based VPN, the crypto proxies are "any to any". With Policy based, the proxies are specific networks. Try setting your Azure setup as per this document:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
Another reference document is:
08-26-2018 12:20 AM
Hello,
Azure by default uses route based vpn.
If on ASA, you are running policy based vpn and not route based(VTI based), you can use powershell to configure policy based vpn on Azure by using below link:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
We had similar issues and we got sorted this out by configuring policy based parameter on AZure using Powershell CLI.
One more thing - define any any ACL in crypto ACL and use VPN filter to filter the traffic instead of specifying multiple ACL under crypto MAP.
Regards,
AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide