Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1238
Views
0
Helpful
2
Replies

Cisco ASA to Azure virtual network gateway VPN frequent connectivity drop outs

microensure
Level 1
Level 1

‎07-19-2019 01:05 AM - edited ‎07-19-2019 01:05 AM

We have an issue where we have setup a VPN between our on-prem network to our new Azure test environment, 

We use a Cisco ASA 5512 on-Prem and connect via Policy based VPN to Azure over the Virtual network gateway, connect comes up and we are able to ping, RDP etc to our VMs.

 

Every 30 - 60 seconds the connection drops out and we lose RDP, this can be anywhere from 1 second to several minutes.

 

Sometimes even when the connection comes back up and we try to initiate a ping from Azure VM back to on-prem server it does not work, but When we initiate the ping from on-prem to Azure ping the ping starts working from the other direction.

 

I have checked the config, removed it and re-added it but are experiencing exactly the same thing.

 

To add some extra info, we have exactly the same setup to another Azure tenant and subscription from the same ASA and we do not get these dropouts.

 

Nothing obvious seems to be appearing in the logs, any ideas/clues would be appreciated :)

Labels:
0 Helpful
2 Replies 2

Sheraz.Salim
VIP Alumni
VIP Alumni

‎07-19-2019 09:56 AM

if you using ikev1 than make sure your life time are same. also you have to make sure you are the initiator and also if possible set up a keep alive from your site. means once the tunnel is up and running from the server the one is specified in interesting traffic set up/run continuous ping to other side. 

please do not forget to rate.
0 Helpful

microensure
Level 1
Level 1
In response to Sheraz.Salim

‎07-22-2019 01:42 AM

I dont believe you can set lifetime on the inbuilt Azure VPN.

 

Funnily enough when I looked at my logs this morning Im getting these errors:

 

5Jul 22 201909:30:39713120Group = 51.140.227.217, IP = 51.140.227.217, PHASE 2 COMPLETED (msgid=558d3085)
6Jul 22 201909:30:53713905Group = 51.140.227.217, IP = 51.140.227.217, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.
3Jul 22 201909:30:53713061Group = 51.140.227.217, IP = 51.140.227.217, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.0.0/0/0 local proxy 192.168.2.0/255.255.255.0/0/0 on interface outside
3Jul 22 201909:30:53713902Group = 51.140.227.217, IP = 51.140.227.217, QM FSM error (P2 struct &0x00007fffded33c30, mess id 0x80000000)!
3Jul 22 201909:30:53713902Group = 51.140.227.217, IP = 51.140.227.217, Removing peer from correlator table failed, no match!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card