Solved: That was exactly the issue,

credibleitops · ‎03-02-2016

At the office we have the following setup:

MD-Office LAN- 172.28.0.0/22 - MD-Inside interface - Security level 100

MD-Office-Prod VLAN - 172.28.4.0/24 - MD-Inside-Prod virtual interface - Security level 100

"Enable traffic between interfaces with same security levels" is selected

In Microsoft Azure, we have a virtual network setup with a VPN gateway:

AX-Network - 172.28.100.0/22

Azure virtual machine - 172.28.100.4

We set up a site-to-site VPN from the office to azure, it connects successfully:

MD-Office-Networks group (contains both office and office-prod) to AX-Network

The problem is that we cannot communicate with the Azure network from both the Office and Office-prod simultaneously. It seems like it's one or the other. From a vlan computer I start ping 172.28.100.4 -n 100, it's working. Then while that's running I go to a second computer, not on the vlan and start the same ping 172.28.100.4 -n 100. When I do this, the first one starts timing out and the second one is working. When this happens, in ASDM > Monitoring > VPN > Details for the VPN, I can see the IPSec local address switching from 172.28.4.0 to 172.28.0.0 back and forth.

Philip D'Ath · ‎03-02-2016

Try making your local encryption domain 172.28.0.0/21 (which covers both networks). It sounds like Azure doesn't support multiple SA's.

View solution in original post

Philip D'Ath · ‎03-02-2016

Try making your local encryption domain 172.28.0.0/21 (which covers both networks). It sounds like Azure doesn't support multiple SA's.

credibleitops · ‎03-03-2016

That was exactly the issue, thanks so much! I created an object 172.28.0.0/21 and changed the local networks in the connection profile to this new object and it started working beautifully.

vlan with site-to-site VPN - asa to azure