Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2247
Views
0
Helpful
9
Replies

ASA 5510 L2L VPN's to Azure Static Gateway and branch office

Go to solution
tim.chubb
Level 1
Level 1

‎09-11-2013 05:06 AM

Hi

I am trying to setup an ASA to work as a hub between two site to site VPN's, one to our office and one to Azure.

i.e.

Office <-- internet --> ASA <-- internet --> Azure

From both sites i can establish a VPN to the ASA and access hosts on our data center network, however i cannot seem to get end to end connectivty from Azure to our office or vice versa.

Any ideas on what i can try as i have been banging my head against a wall with this one.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to tim.chubb

‎09-11-2013 07:30 AM

Hi,

If traffic was also generated from the Azure towards Office network then it would seem that there is a problem with the L2L VPN configuration between the ASA and Azure, most likely on the Azure side.

- Jouni

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎09-11-2013 05:17 AM

Hi,

Without seeing the actual configurations on the ASA I can only guess the most typical reasons this might not work.

  • Local and remote networks are not configured (or correctly configured) on all the devices handling the L2L VPN connections
  • NAT0 configurations missing on some devices handling the L2L VPN connections. Since the ASA is the Hub you will need a NAT0 configuration on the "outside" interface for the connectivity between the 2 sites that connect to the ASA via L2L VPN
  • The "same-security-traffic permit intra-interface" configuration missing from the ASA. This would allow connections to come in through the "outside" and leave through the same "outside" interface. This would be the case in your situation when traffic is flowing between the 2 remote sites through this ASA.

The problem might be one of the above or all of them.

The 2 latter things might be the most likely reasons.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎09-11-2013 05:38 AM

Hi,

When you test Office <-> Azure traffic do you see the SA form?

Does the following commands output show that the L2L VPN has formed for the Office <-> Azure networks on both L2L VPN connections on the ASA?

show crypto ipsec sa peer 10.20.0.25

show crypto ipsec sa peer 10.30.0.21

If both L2L VPN look fine, what do the packet counters of the above commands output show for the 2 mentioned sites? Perhaps the problem is on either remote site.

- Jouni

0 Helpful

Go to solution
tim.chubb
Level 1
Level 1
In response to Jouni Forss

‎09-11-2013 05:48 AM

Hi Jouni

Here is the about for the 2 commands above:

fwuk01# sh cry ipsec sa peer 10.20.0.25
peer address: 10.20.0.25
    Crypto map tag: VS-VPNS, seq num: 10, local addr: 10.0.0.1

      access-list OFFICE-DC-ACL extended permit ip 172.16.2.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 10.20.0.25

      #pkts encaps: 1252847, #pkts encrypt: 1252847, #pkts digest: 1252847
      #pkts decaps: 2363423, #pkts decrypt: 2363422, #pkts verify: 2363422
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1252847, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.1/4500, remote crypto endpt.: 10.20.0.25/4500
      path mtu 1500, ipsec overhead 66(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 046CFF11
      current inbound spi : C41EF31A

    inbound esp sas:
      spi: 0xC41EF31A (3290362650)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 3928064, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (94444517/745)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x046CFF11 (74252049)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 3928064, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97148522/745)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

fwuk01# sh cry ipsec sa peer 10.30.0.21
peer address: 10.30.0.21
    Crypto map tag: VS-VPNS, seq num: 15, local addr: 10.0.0.1

      access-list AZURE-DC-ACL extended permit ip 172.16.2.0 255.255.255.0 172.16.4.0 255.255.252.0
      local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.5.0/255.255.255.248/0/0)
      current_peer: 10.30.0.21

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.1/0, remote crypto endpt.: 10.30.0.21/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: A4368F28
      current inbound spi : EEC248B6

    inbound esp sas:
      spi: 0xEEC248B6 (4005710006)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3874816, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97199999/3429)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000000D
    outbound esp sas:
      spi: 0xA4368F28 (2755039016)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3874816, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97200000/3428)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: VS-VPNS, seq num: 15, local addr: 10.0.0.1

      access-list AZURE-DC-ACL extended permit ip 172.16.2.0 255.255.255.0 172.16.4.0 255.255.252.0
      local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
      current_peer: 10.30.0.21

      #pkts encaps: 76, #pkts encrypt: 76, #pkts digest: 76
      #pkts decaps: 161, #pkts decrypt: 161, #pkts verify: 161
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 76, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.1/0, remote crypto endpt.: 10.30.0.21/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 62DA5F2E
      current inbound spi : BD8EDA59

    inbound esp sas:
      spi: 0xBD8EDA59 (3180255833)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3874816, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97199997/2019)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x0007FFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x62DA5F2E (1658478382)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3874816, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97199998/2019)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to tim.chubb

‎09-11-2013 05:56 AM

Hi,

According to the above output there is currenctly no SA on either L2L VPN connection from the ASA which would be for the connections between Office and Azure.

So either no traffic was generated from either Office or Azure before the output was taken or there is missconfigurations or missing configurations still related to the L2L VPN connections.

- Jouni

0 Helpful

Go to solution
tim.chubb
Level 1
Level 1
In response to Jouni Forss

‎09-11-2013 07:02 AM

Hi Jouni

Whoops, forgot to be sending traffic when i ran those commands, here they are again with traffic going from either end.

sh cry ipsec sa peer 10.20.0.25
peer address: 10.20.0.25
    Crypto map tag: VS-VPNS, seq num: 10, local addr: 10.0.0.1

      access-list OFFICE-DC-ACL extended permit ip 172.16.2.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 10.20.0.25

      #pkts encaps: 2979464, #pkts encrypt: 2979464, #pkts digest: 2979464
      #pkts decaps: 5611235, #pkts decrypt: 5611235, #pkts verify: 5611235
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2979465, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.1/4500, remote crypto endpt.: 10.20.0.25/4500
      path mtu 1500, ipsec overhead 66(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 04952DA7
      current inbound spi : 6846AB6E

    inbound esp sas:
      spi: 0x6846AB6E (1749461870)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 3928064, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (96075885/1917)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x04952DA7 (76885415)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 3928064, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97178817/1917)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: VS-VPNS, seq num: 10, local addr: 10.0.0.1

      access-list OFFICE-DC-ACL extended permit ip 172.16.4.0 255.255.252.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.4.0/255.255.252.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 10.20.0.25

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1211, #pkts decrypt: 1211, #pkts verify: 1211
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.1/4500, remote crypto endpt.: 10.20.0.25/4500
      path mtu 1500, ipsec overhead 66(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 0698449D
      current inbound spi : 5CB8EA09

    inbound esp sas:
      spi: 0x5CB8EA09 (1555622409)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 3928064, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97199989/3118)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x0698449D (110642333)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 3928064, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97200000/3118)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

fwuk01# sh cry ipsec sa peer 10.30.0.21
peer address: 10.30.0.21
    Crypto map tag: VS-VPNS, seq num: 15, local addr: 10.0.0.1

      access-list AZURE-DC-ACL extended permit ip 172.16.2.0 255.255.255.0 172.16.4.0 255.255.252.0
      local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.5.0/255.255.255.248/0/0)
      current_peer: 10.30.0.21

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.1/0, remote crypto endpt.: 10.30.0.21/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: BBF36F66
      current inbound spi : 5865E010

    inbound esp sas:
      spi: 0x5865E010 (1483071504)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3874816, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97200000/3549)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xBBF36F66 (3153293158)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3874816, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97200000/3549)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: VS-VPNS, seq num: 15, local addr: 10.0.0.1

      access-list AZURE-DC-ACL extended permit ip 172.16.2.0 255.255.255.0 172.16.4.0 255.255.252.0
      local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
      current_peer: 10.30.0.21

      #pkts encaps: 41, #pkts encrypt: 41, #pkts digest: 41
      #pkts decaps: 88, #pkts decrypt: 88, #pkts verify: 88
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 41, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.1/0, remote crypto endpt.: 10.30.0.21/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 07E87F80
      current inbound spi : 7020614C

    inbound esp sas:
      spi: 0x7020614C (1881170252)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3874816, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97199995/878)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x07E87F80 (132677504)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3874816, crypto-map: VS-VPNS
         sa timing: remaining key lifetime (kB/sec): (97199996/878)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

It seems as though the Azure L2L doesnt have an SA for the office, but the office one does, guess this points towards the setup on azure being the issue maybe?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to tim.chubb

‎09-11-2013 07:30 AM

Hi,

If traffic was also generated from the Azure towards Office network then it would seem that there is a problem with the L2L VPN configuration between the ASA and Azure, most likely on the Azure side.

- Jouni

0 Helpful

Go to solution
tim.chubb
Level 1
Level 1
In response to tim.chubb

‎09-11-2013 07:33 AM

Fixed it!

Was a configuration issue on the Azure virtual network, needed to add the office network to the local network address ranges, on the Azure netwrok setup screens.

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to tim.chubb

‎09-11-2013 07:35 AM

Hi,

Glad to hear its working now.

Please do remember to mark a reply as the correct reply and/or rate helpfull answers

- Jouni

0 Helpful

Go to solution
tim.chubb
Level 1
Level 1
In response to Jouni Forss

‎09-11-2013 07:39 AM

Thanks for the help, guess was going blind to the problem from looking at it too long.

0 Helpful
Customers Also Viewed These Support Documents