cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2729
Views
20
Helpful
32
Replies
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

HI Richard,

 

I have asked the other end to engage Azure to see why we cant get multiple subs across the one tunnel.  I will keep all posted on the outcome.. tks for your input mate.

 

Cheers.

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

Here is what the packet trace shows.. for some reason only one subnet is being allowed across, 10.211.0.0/16 is being dropped and 10.214.0.0/16 is being allowed across the VPN tunnel any ideas why?

 

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f2965cdcc60, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.211.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

Hi Azam.

 

Thanks for your info, I have engaged the other side to get them to check with Azure as well to troubleshoot why we cant get multiple subs over the one tunnel.  Can I ask were you able to get multiple subs over a single tunnel?

 

Tks mate.

 

Highlighted
Participant

Re: Add new subnets to site to site VPN tunnel are already created.

Hi,

I'm not sure I understand the question.

As per standard VPN config, the local & remote subnets (or Proxy IDs) are defined in an access-list that is referenced in your crypto map.

Regards

Azam

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

I added the subnets (IE: 10.210.0.0/16 , 10.211.0.0/16, 10.212.0.0/16) to the crypto map ACL list, but everytime only one subnet would show up in the monitoring, IE: 10.210.0.0/16 etc.. so I believe the reason is something is not correct on the Azure side.

Highlighted
Participant

Re: Add new subnets to site to site VPN tunnel are already created.

you can verify different subnets with packet tracer also from asa CLI:

packet tracer input inside icmp source-ip 12345 dest-ip dest-port det

like i said earlier, you can open a ticket with azure & have someone from their end on the phone will testing - if you think the fault lies with them.

regards

azam

View solution in original post

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

I have suggested they engage Azure Support.. So I will post back once we hear..:) Tks for your suggestions.
Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

Here is what the packet trace shows.. for some reason only one subnet is being allowed across, 10.211.0.0/16 is being dropped and 10.214.0.0/16 is being allowed across the VPN tunnel any ideas why?

 

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f2965cdcc60, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.211.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside


Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f295ceccb00, priority=70, domain=encrypt, deny=false
hits=476, user_data=0x176f2e4, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.214.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

Here is what the packet trace shows.. for some reason only one subnet is being allowed across, 10.211.0.0/16 is being dropped and 10.214.0.0/16 is being allowed across the VPN tunnel, any ideas why?

 

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f2965cdcc60, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0x7f295e83dde0, reverse, flags=0x0, protocol=0
src ip/id=10.1.1.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.211.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Highlighted
Participant

Re: Add new subnets to site to site VPN tunnel are already created.

ensure you have all remote subnets in your crypto acl

also ensure routing is correct for that subnet

other than that, you'd have to post the config

regards, mk

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

Ok, So here is my Crypto Map:

 

static: 1 1 10.1.1.0/24
10.210.0.0/16
10.211.0.0/16
10.212.0.0/16
10.213.0.0/16
10.214.0.0/16 ip Protect ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 Azure-Ipsec-Tunnel-onpremise-x.x.x.x [Ljava.lang.String;@e715a0 False False bidirectional 01:00:00 or 4608000 KB main []

 

and the attached image is my ACL manager Subnets.

 

the nat rule is:

 

20 inside outside OnPremisesNetworks_10_1_1_0 AzureNetworks_10_211_0_0 any -- Original -- -- Original -- -- Original -- No Proxy ARP,Route Lookup  

 

 

All the subs are in the group-object AzureNetworks... what I cant figure out is why only 10.214.0.0/16 is showing in monitoring and none of the other subs??? Any when I do a packet trace the only one that successfully gets through is 10.214.0.0/16.. all others are failing at VPN.

 

Highlighted
Hall of Fame Master

Re: Add new subnets to site to site VPN tunnel are already created.

I believe that it is critical that we get some confirmation whether the remote side/Azure has made changes corresponding to your changes.

 

It would be helpful if we could see the output of the command show crypto ipsec sa. And also helpful if we could see updated copy of the config.

 

HTH

 

Rick

HTH

Rick

View solution in original post

Highlighted
Beginner

Re: Add new subnets to site to site VPN tunnel are already created.

After engaging Microsoft to get their input of what they were seeing, it was confirmed the Azure side was not config'ed correctly. Thanks so much for all your assistance.
Highlighted
Participant

Re: Add new subnets to site to site VPN tunnel are already created.

like I suggested in the earlier posting :)

thanks for the update!

regards, mk

please rate if helpful or solved :)

 

Highlighted
Hall of Fame Master

Re: Add new subnets to site to site VPN tunnel are already created.

Thanks for updating to tell us that it is confirmed that Azure was not correctly configured. I am glad that your problem is solved. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. One of the good things about these communities is having multiple people contributing to solving the issue. Several people made suggestions pointing in the right direction. These communities are excellent places to ask questions and to learn about networking. I hope to see you continue to be active in the community.

 

HTH

 

Rick

HTH

Rick