Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4430
Views
5
Helpful
4
Replies

ASA5508 Site-to-Site Azure IPSEC drops

Frank Osberg
Level 4
Level 4

‎08-21-2019 04:20 AM - edited ‎02-21-2020 09:43 PM

Hi guys,

 

I am having a strange issue....I really hope that you can help me with...

 

We have a site-to-site tunnel with out BGP running up against Azure.... It works no issue here, but after 10-11 days the connections drops... I can see that the tunnel are trying to be established when the tunnel goes down, IKEv2 is there but IPSEC dont come up, and therefor traffic will not go through. 

 

This is what I can see in the log:

 

7|Aug 09 2019|22:27:23|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
6|Aug 09 2019|22:27:21|602303|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x59025CE7) between XXXXXXX and XXXXXXX (user= XXXXXXX) has been created.
6|Aug 09 2019|22:27:21|602303|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x5825BDF6) between XXXXXXX and XXXXXXX (user= XXXXXXX) has been created.
6|Aug 09 2019|22:27:21|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
5|Aug 09 2019|22:27:21|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:27:21|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
7|Aug 09 2019|22:27:21|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
7|Aug 09 2019|22:27:21|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:27:21|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
4|Aug 09 2019|22:27:11|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:07s, Bytes xmt: 0, Bytes rcv: 0, Reason: Administrator Reset
5|Aug 09 2019|22:27:09|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
6|Aug 09 2019|22:27:04|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
7|Aug 09 2019|22:27:04|609001|XXXXXXX||||Built local-host outside:XXXXXXX
5|Aug 09 2019|22:27:04|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:27:04|609002|XXXXXXX||||Teardown local-host outside:XXXXXXX duration 0:00:20
4|Aug 09 2019|22:27:04|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:20s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Aug 09 2019|22:27:04|750014|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Session Aborted. Reason: Initial contact received for Local ID: XXXXXXX, Remote ID: XXXXXXX from remote peer: XXXXXXX:500 to XXXXXXX:500
3|Aug 09 2019|22:27:04|751022|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!
7|Aug 09 2019|22:27:04|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:27:04|750002|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
7|Aug 09 2019|22:27:04|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:56|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
6|Aug 09 2019|22:26:44|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
7|Aug 09 2019|22:26:44|609001|XXXXXXX||||Built local-host outside:XXXXXXX
5|Aug 09 2019|22:26:44|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:26:44|609002|XXXXXXX||||Teardown local-host outside:XXXXXXX duration 0:00:20
4|Aug 09 2019|22:26:44|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:20s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Aug 09 2019|22:26:44|750014|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Session Aborted. Reason: Initial contact received for Local ID: XXXXXXX, Remote ID: XXXXXXX from remote peer: XXXXXXX:500 to XXXXXXX:500
3|Aug 09 2019|22:26:44|751022|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!
7|Aug 09 2019|22:26:44|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:44|750002|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
7|Aug 09 2019|22:26:44|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:43|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.5.0.148-10.5.0.148 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.4-172.16.0.4 Protocol: 0 Port Range: 0-65535
5|Aug 09 2019|22:26:32|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
6|Aug 09 2019|22:26:24|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
7|Aug 09 2019|22:26:24|609001|XXXXXXX||||Built local-host outside:XXXXXXX
5|Aug 09 2019|22:26:24|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:26:24|609002|XXXXXXX||||Teardown local-host outside:XXXXXXX duration 0:00:20
4|Aug 09 2019|22:26:24|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:20s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Aug 09 2019|22:26:24|750014|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Session Aborted. Reason: Initial contact received for Local ID: XXXXXXX, Remote ID: XXXXXXX from remote peer: XXXXXXX:500 to XXXXXXX:500
3|Aug 09 2019|22:26:24|751022|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!
7|Aug 09 2019|22:26:24|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:24|750002|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
7|Aug 09 2019|22:26:24|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:20|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
5|Aug 09 2019|22:26:08|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
6|Aug 09 2019|22:26:04|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
7|Aug 09 2019|22:26:04|609001|XXXXXXX||||Built local-host outside:XXXXXXX
5|Aug 09 2019|22:26:04|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:26:04|609002|XXXXXXX||||Teardown local-host outside:XXXXXXX duration 0:00:20
4|Aug 09 2019|22:26:04|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:20s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Aug 09 2019|22:26:04|750014|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Session Aborted. Reason: Initial contact received for Local ID: XXXXXXX, Remote ID: XXXXXXX from remote peer: XXXXXXX:500 to XXXXXXX:500
3|Aug 09 2019|22:26:04|751022|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!
7|Aug 09 2019|22:26:04|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:26:04|750002|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
7|Aug 09 2019|22:26:04|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:25:56|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
5|Aug 09 2019|22:25:44|750001|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535
6|Aug 09 2019|22:25:44|113009|||||AAA retrieved default group policy (GroupPolicy_Azure) for user = XXXXXXX
7|Aug 09 2019|22:25:44|609001|XXXXXXX||||Built local-host outside:XXXXXXX
5|Aug 09 2019|22:25:44|750006|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 SA UP. Reason: New Connection Established
7|Aug 09 2019|22:25:44|609002|XXXXXXX||||Teardown local-host outside:XXXXXXX duration 0:00:18
4|Aug 09 2019|22:25:44|113019|||||Group = XXXXXXX, Username = XXXXXXX, IP = XXXXXXX, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:19s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Reconnected
4|Aug 09 2019|22:25:44|750014|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Session Aborted. Reason: Initial contact received for Local ID: XXXXXXX, Remote ID: XXXXXXX from remote peer: XXXXXXX:500 to XXXXXXX:500
3|Aug 09 2019|22:25:44|751022|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:XXXXXXX IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!
7|Aug 09 2019|22:25:44|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500
5|Aug 09 2019|22:25:44|750002|||||Local:XXXXXXX:500 Remote:XXXXXXX:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request
7|Aug 09 2019|22:25:44|713906|||||IKE Receiver: Packet received on XXXXXXX:500 from XXXXXXX:500

 

 

 

When login to my ASA through ASDM I log the connection out, then the connecting are been reestablished, and are working again. 

 

I have used the configuration from the Azure (or have taking the function out that we needed) 

 

What can I do here?? And what else do you need of info. :) 

 

Frank

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Frank Osberg
Level 4
Level 4

‎08-29-2019 04:50 AM

Nobody that have ideas on this matter??

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎08-31-2019 09:42 AM

Frank

 

There are a few things in your output that I find puzzling. I see many attempts to establish the vpn specifying these addresses

Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.6.164.206-10.6.164.206 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.1-172.16.0.1 Protocol: 0 Port Range: 0-65535

 

but I also see attempts to establish the vpn using this

Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0

 

and also see an attempt using this

Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.5.0.148-10.5.0.148 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 172.16.0.4-172.16.0.4 Protocol: 0 Port Range: 0-65535

 

Can you provide any clarification about these addresses?

 

I am also not understanding this part of your description

When login to my ASA through ASDM I log the connection out, then the connecting are been reestablished, and are working again. 

It seems to suggest that perhaps one side of the connection sees a problem and attempts to re-establish but the other side of the connection does not recognize that there was a problem and logout gets both sides back in sync.

 

HTH

 

Rick

HTH

Rick
0 Helpful

MARK BAKER
Level 4
Level 4

‎01-28-2022 05:16 PM

Did you ever find the cause of this issue? I am seeing a similar issue between a Palo Alto firewall and ASA firewall. The difference being that we are doing NAT-T and it doesn't look like you are.

 

Thank you,

Mark

0 Helpful

Frank Osberg
Level 4
Level 4
In response to MARK BAKER

‎01-31-2022 12:15 AM

Hi Mark,

 

So after we did a bit more test, and we deleted the tunnel and set it up again, it has been running ever sense.... So a good reason I cannot really give you. 

Customers Also Viewed These Support Documents