Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2063
Views
0
Helpful
2
Replies

IPsec SA can only be initiated from 1 side

Eric Snijders
Level 1
Level 1

‎08-24-2018 06:00 AM - edited ‎02-21-2020 08:08 AM

Hi All,

I just created a IKEv1 IPsec S2S tunnel, but for some reason the IPsec SA only comes up if i initiate traffic from our (Cisco ASA) side. The other side is Microsoft Azure.

LSPASAAMS203# show run crypto ikev1
crypto ikev1 enable Internet
crypto ikev1 policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

LSPASAAMS203# show run crypto ipsec
crypto ipsec ikev1 transform-set AZURE-TRANSFORM esp-aes-256 esp-sha-hmac

LSPASAAMS203# show run crypto map
crypto map Internet_map 1 match address ACL-AZURE-VPN
crypto map Internet_map 1 set peer <AZURE_WAN>
crypto map Internet_map 1 set ikev1 transform-set AZURE-TRANSFORM
crypto map Internet_map 1 set reverse-route
crypto map Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Internet_map interface Internet

LSPASAAMS203# show run access-list ACL-AZURE-VPN
access-list ACL-AZURE-VPN extended permit ip object-group GSA-MGMT object-group AZURE-MGMT-NETWORKS
access-list ACL-AZURE-VPN extended permit ip 192.168.252.0 255.255.255.128 object-group AZURE-MGMT-NETWORKS
access-list ACL-AZURE-VPN extended permit ip object-group LSP_DNS_Servers object-group AZURE-PROD-NETWORKS
access-list ACL-AZURE-VPN extended permit ip object-group LSP_LDAP_Servers_Test object-group AZURE-PROD-NETWORKS

Also, the IPsec SA disconnects pretty fast (my feeling says 10-15 minutes). I don't really know where i can find this setting, any clue?

0 Helpful
2 Replies 2

Ajay Saini
Level 7
Level 7

‎08-26-2018 12:47 AM

Hello,

 

Azure is always responder by design. The initiator is always on ASA side, so that is the design part. 


Couple of things you can do to start with - make this tunnel policy based instead of route based, this is covered under following link where I posted a reply:

 

https://community.cisco.com/t5/firewalls/cisco-asa-9-9-ikev2-to-microsoft-azure/m-p/3694890

 

Secondly, try to configure the setting on ASA side to ensure tunnel is always up:

 

https://community.cisco.com/t5/vpn-and-anyconnect/keep-site-to-site-vpn-tunnel-active-for-monitoring/td-p/2098123

 

HTH
AJ

 

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎08-26-2018 02:23 AM

Hi,

The reason that Azure uses wider proxy-ids for subnets to be encrypted
(they use route base, i.e. VTI which makes the proxy id 0.0.0.0/0). This
makes your side the initiator always to get the tunnel up.

A suggestion is look for alternative to establish the VPN on Azure size
(CSR or ASAv) instead of Azure Connector. Soon you will find it not
scalable and not easy to deal with especially if you are running VPNs to
multiple sites.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card