Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5624
Views
0
Helpful
6
Replies

ASA 5506 route based VPN to Azure

Go to solution
Sean Hegyi
Level 1
Level 1

‎08-02-2017 04:42 AM

Hoping someone can assist, I have my Site to Site VPN working from on premise ASA to Azure, but currently cannot pass traffic.

The ASA is running 9.8

Azure VPN is High Performance route based.

Using IKEv2 VTI for this tunnel.

I have verified the tunnel is up with show crypto ikev2 sa and show crypto ipsec sa

I'm trying to configure this with static routes currently have the static route route AZR-TUNNEL 192.168.2.0 255.255.255.0 13.73.X.X configured with AZR-TUNNEL being my VTI interface. However I can not get any traffic to pass across the VPN.

I have noticed that show crypto ipsec sa shows the following

 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 841, #pkts decrypt: 841, #pkts verify: 841

Just at a loss on how to get the final piece of this working.

If anyone can assist it will greatly appreciated

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
zaydiip
Level 1
Level 1

‎08-02-2017 05:05 AM

Hi Sean Hegyi,

It seems like some routing issue, can you try to ping peer public ip from your end. 

Also, check that whether are you getting any hit on the ACL(proxy-id).

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-02-2017 05:04 AM

Hi,

Seems a route or NAT issue on the ASA.

Can you check if you have these two things validated?

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

Go to solution
Sean Hegyi
Level 1
Level 1
In response to Aditya Ganjoo

‎08-02-2017 03:02 PM

Hi Guys,

Thanks for the responses

Peer's public IP doesn't respond to ping. Tunnel is established so I would assume it knows how to get to the peer.

Can't see any hits on the ACL

Below is configured NAT rule

nat (inside,outside) source static LAN_NET_Internal LAN_NET_Internal destination static azure-networks azure-networks no-proxy-arp route-lookup

Configured static route below

route AZR-TUNNEL 192.168.2.0 255.255.255.0 13.73.x.x 1

To help below is what I have configured so far, I've been looking at this for a while so I may have done something stupid.

interface Tunnel10
nameif AZR-TUNNEL
ip address 169.254.0.1 255.255.255.0
tunnel source interface outside
tunnel destination 13.73.198.244
tunnel mode ipsec ipv4
tunnel protection ipsec profile AZR-PROF

access-list outside_cryptomap_1 extended permit ip object LAN_NET_Internal object azure-networks

nat (inside,outside) source static LAN_NET_Internal LAN_NET_Internal destination static azure-networks azure-networks no-proxy-arp route-lookup

route AZR-TUNNEL 192.168.2.0 255.255.255.0 13.73.x.x 1

crypto ipsec ikev2 ipsec-proposal AZR-PROP
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ipsec profile AZR-PROF
set ikev2 ipsec-proposal AZR-PROP

crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 13.73.x.x
crypto map outside_map 1 set ikev2 ipsec-proposal AZR-PROP
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside

group-policy GroupPolicy_AZURE internal
group-policy GroupPolicy_AZURE attributes
vpn-filter value outside_cryptomap_1
vpn-tunnel-protocol ikev2

tunnel-group 13.73.x.x type ipsec-l2l
tunnel-group 13.73.x.x general-attributes
default-group-policy GroupPolicy_AZURE
tunnel-group 13.73.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

As I said I may have done something silly

Thanks,

Sean

0 Helpful

Go to solution
Sean Hegyi
Level 1
Level 1
In response to Sean Hegyi

‎08-02-2017 03:11 PM

Guess I just needed some sleep, was missing an entry on the ACL.

Thanks for your help.

Cheers,

Sean

0 Helpful

Go to solution
apatel2489
Level 1
Level 1
In response to Sean Hegyi

‎05-14-2018 08:04 AM

Hi Sean,

 

Could you please let me know which ACL, you were missing? i am having same issue but could not figure it out?

i did same configuration but just shows VPN connected but not passing the traffic.

 

Thanks

Ashish 

0 Helpful

Go to solution
Ben F
Level 1
Level 1
In response to Sean Hegyi

‎08-13-2018 08:04 AM

For a route based VPN you won't need the crypto map on the outside interface. I don't think the group-policy is needed either. If using PSK then you will still want to keep the tunnel-group portion. I have just set one of these up for the first time ever due to Azure being flaky with the ASA when using policy-based VPN on the ASA side.

0 Helpful

Go to solution
zaydiip
Level 1
Level 1

‎08-02-2017 05:05 AM

Hi Sean Hegyi,

It seems like some routing issue, can you try to ping peer public ip from your end. 

Also, check that whether are you getting any hit on the ACL(proxy-id).

0 Helpful
Customers Also Viewed These Support Documents