cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1821
Views
0
Helpful
10
Replies

Tunnel connect and disconnect again

Omid Rajaee
Level 1
Level 1
10 Replies 10

Hi, Looks like the crypto map you've defined is incorrect, you need to double check that and confirm you have the correct remote network defined.

Hi RJI,

 

Please review this configuration for IPSec:

 

crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 102400000 

tunnel-group 104.x.x.x type ipsec-l2l

tunnel-group 104.x.x.x ipsec-attribute

ikev1 pre-shared-key <Pre-Shared-Key>

 

Thanks,

 

Omid

Can you provide the output of the crypto map and ACL configuration for both firewalls?
I assume you control both ends of the tunnel?

By the way, the other end is Microsoft Azure(Policy base VPN connection) it is not ASA.

 

Here you are:show access:

 

access-list azure-vpn-acl extended permit ip object-group On-Prem-Net object-group Azure-Network 

 

crypto map Cust-OutSell_map 4 match address azure-vpn-acl
crypto map Cust-OutSell_map 4 set peer x.x.x.x(Azure Gateway IP) 
crypto map Cust-OutSell_map 4 set ikev1 transform-set azure-ipsec-proposal-set(esp-aes-256 esp-sha-hmac)

 

 

crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800

 

What do you have defined on your ASA for the object groups:
On-Prem-Net
Azure-Network

Do you have access to the other Azure FW?
Can you confirm the settings are correct?....in regard to the subnets defined in the crypto map and the Phase 2 config

those are my on-prem(private) network range and Azure network, in this case, I use 20.20.10.0/24.

 

I used this steps to configure both:

 

https://supportforums.cisco.com/t5/security-blogs/site-to-site-vpn-between-cisco-asa-and-microsoft-azure-virtual/ba-p/3099317

OK, but do you have the correct subnets defined in the ACLs on both ends? Your screenshot indicates...."no matching crypto map entry for remote proxy 20.20.0..."

Oh, you are right my object-group network IP range was 20.20.10.0 instead of 20.20.0.0/16.

Realy appreciate your guidance and time.

 

Omid

Now the VPN is connected but there is no traffic ESP on the connection.So the problem right now is in Phase 2.

 

Please look at this error, That packet dropped!

 

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xae2cbd68, priority=70, domain=ipsec-tunnel-flow, deny=false

        hits=13, user_data=0x0, cs_id=0xadf3d260, reverse, flags=0x0, protocol=0

        src ip/id=10.10.8.0, mask=255.255.252.0, port=0, tag=0

        dst ip/id=10.20.0.0, mask=255.255.0.0, port=0, tag=0, dscp=0x0

        input_ifc=Cust-OutSell, output_ifc=any

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: