Re: ASA Route Based Tunnel to Azure Failing

guacamoley · ‎12-21-2023

Hi all,

I have a s2s tunnel going to Azure and it is up and functioning. The azure team wants a secondary tunnel up going to their other gateway for redundancy. I copied the exact same configuration over from the primary tunnel but the tunnel interface is staying down/down. This is the debug I was getting, I noticed errors at the bottom as "Auth Exchange Failed" and "Failed to receive the AUTH msg before the timer expired". I was thinking it may have to do with PSK, but we verified the PSK was the same on both sides (I applied it to the tunnel-group, not a key ring, not sure if that's necessary). I copied the config exactly as its done, which was based off of this guide https://www.petenetlive.com/KB/Article/0001515.

The debug I received is this attached. Any help is appreciated.

MHM Cisco World · ‎12-21-2023

You use same Azure destination IP for both tunnels?

MHM

balaji.bandi · ‎12-21-2023

Hope either side you have 2 different Public IP address

is the ASA directly connected to internet or behind NAT ?

IKEv2-PROTO-2: (1001): Auth exchange failed - check the configuration again. ?

look below VPN guide from Azure :

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell

Hope you may have already cisco document - just for reference :

https://community.cisco.com/t5/security-blogs/site-to-site-vpn-between-cisco-asa-and-microsoft-azure-virtual/ba-p/3101421

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-23-2023

Copy exact config is ok for policy proposals but not for key and profile.

The IP must change.

MHM