Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
398
Views
0
Helpful
2
Replies

ASA5525 - Route Based S2S Tunnel to Azure failing

guacamoley
Level 1
Level 1

‎12-21-2023 12:20 PM - edited ‎12-21-2023 12:21 PM

Hi all,

  I have a s2s tunnel going to Azure and it is up and functioning. The azure team wants a secondary tunnel up going to their other gateway for redundancy. I copied the exact same configuration over from the primary tunnel but the tunnel interface is staying down/down. This is the debug I was getting, I noticed errors at the bottom as "Auth Exchange Failed" and "Failed to receive the AUTH msg before the timer expired". I was thinking it may have to do with PSK, but we verified the PSK was the same on both sides (I applied it to the tunnel-group, not a key ring, not sure if that's necessary). I copied the config exactly as its done, which was based off of this guide https://www.petenetlive.com/KB/Article/0001515.

The debug I received is this:

(1001): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(1001):
IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-4: (1001): Completed SA init exchange
IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: INIT_DONE Event: EV_START_TMR
IKEv2-PROTO-4: (1001): Starting timer (30 sec) to wait for auth message
IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: R_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (1001): Request has mess_id 0; expected 1 through 1

IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: R_WAIT_AUTH Event: EV_RE_XMT_RESP
IKEv2-PROTO-4: (1001): Retransmitting packet
(1001):
IKEv2-PROTO-4: (1001): Sending Packet [To [peer address scrubbed:500]/From 10.254.254.3:500/VRF i0:f0]
(1001): Initiator SPI : 1C18858AA96F3AE6 - Responder SPI : 19E915FFEA331438 Message id: 0
(1001): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (1001): Next payload: SA, version: 2.0 (1001): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (1001): Message id: 0, length: 719(1001):
Payload contents:
(1001): SA(1001): Next payload: KE, reserved: 0x0, length: 48
(1001): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(1001): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1001): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1001): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1001): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(1001): KE(1001): Next payload: N, reserved: 0x0, length: 264
(1001): DH group: 14, Reserved: 0x0
(1001):
(1001): VID(1001): Next payload: NOTIFY, reserved: 0x0, length: 59
(1001):

(1001): NOTIFY(NAT_DETECTION_SOURCE_IP)(1001): Next payload: NOTIFY, reserved: 0x0, length: 28
(1001): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(1001):
(1001): 42 d4 6b 77 3b 04 a7 f4 8f 6f e4 58 b9 bd 61 9e
(1001): 36 96 93 83
(1001): NOTIFY(NAT_DETECTION_DESTINATION_IP)(1001): Next payload: CERTREQ, reserved: 0x0, length: 28
(1001): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(1001):
(1001): e8 6a 07 fc 4e e9 17 15 24 11 d9 d7 2e d6 89 66
(1001): 2f 02 82 3b
(1001): CERTREQ(1001): Next payload: NOTIFY, reserved: 0x0, length: 145
(1001): Cert encoding X.509 Certificate - signature
(1001): CertReq data: 140 bytes
(1001): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(1001): Next payload: VID, reserved: 0x0, length: 8
(1001): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(1001): VID(1001): Next payload: NONE, reserved: 0x0, length: 20
(1001):
(1001): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(1001):
IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: R_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-4: (1001): Packet is a retransmission
IKEv2-PROTO-7: (1001): Request has mess_id 0; expected 1 through 1

IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: R_WAIT_AUTH Event: EV_RE_XMT_RESP
IKEv2-PROTO-4: (1001): Retransmitting packet
(1001):
IKEv2-PROTO-4: (1001): Sending Packet [To [peer address scrubbed:500]/From 10.254.254.3:500/VRF i0:f0]
(1001): Initiator SPI : 1C18858AA96F3AE6 - Responder SPI : 19E915FFEA331438 Message id: 0
(1001): IKEv2 IKE_SA_INIT Exchange RESPONSEIKEv2-PROTO-5: (1001): Next payload: SA, version: 2.0 (1001): Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (1001): Message id: 0, length: 719(1001):
Payload contents:
(1001): SA(1001): Next payload: KE, reserved: 0x0, length: 48
(1001): last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4(1001): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(1001): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(1001): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(1001): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(1001): KE(1001): Next payload: N, reserved: 0x0, length: 264
(1001): DH group: 14, Reserved: 0x0
(1001):
(1001): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(1001): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(1001): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(1001): 73 2c 20 49 6e 63 2e
(1001): NOTIFY(NAT_DETECTION_SOURCE_IP)(1001): Next payload: NOTIFY, reserved: 0x0, length: 28
(1001): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(1001):
(1001): 42 d4 6b 77 3b 04 a7 f4 8f 6f e4 58 b9 bd 61 9e
(1001): 36 96 93 83
(1001): NOTIFY(NAT_DETECTION_DESTINATION_IP)(1001): Next payload: CERTREQ, reserved: 0x0, length: 28
(1001): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(1001):
(1001): e8 6a 07 fc 4e e9 17 15 24 11 d9 d7 2e d6 89 66
(1001): 2f 02 82 3b
(1001): CERTREQ(1001): Next payload: NOTIFY, reserved: 0x0, length: 145
(1001): Cert encoding X.509 Certificate - signature
(1001): CertReq data: 140 bytes
(1001): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(1001): Next payload: VID, reserved: 0x0, length: 8
(1001): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(1001): VID(1001): Next payload: NONE, reserved: 0x0, length: 20
(1001):
(1001): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(1001):
IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: R_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-4: (1001): Packet is a retransmission
IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: R_WAIT_AUTH Event: EV_WAIT4_AUTH_TMO
IKEv2-PROTO-2: (1001): Failed to receive the AUTH msg before the timer expired
IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-4: (1001): Auth exchange failed
IKEv2-PROTO-2: (1001): Auth exchange failed
IKEv2-PROTO-2: (1001): Auth exchange failed
IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (1001): SM Trace-> SA: I_SPI=1C18858AA96F3AE6 R_SPI=19E915FFEA331438 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (1001): Abort exchange
IKEv2-PROTO-4: (1001): Deleting SA

 

 

Any assistance would be appreciated.

Labels:
0 Helpful
2 Replies 2

srpoda
Cisco Employee
Cisco Employee

‎01-08-2024 05:12 PM

Based on above debugs it looks ASA is sending out the Auth packet but dont see any response .

Please check if transit (isp) devices blocking udp500/4500 port in ASA--->Azure direction .

0 Helpful

MHM Cisco World
VIP
VIP

‎01-09-2024 02:27 AM

can you confirm if this issue solve or not 
MHM

0 Helpful
Customers Also Viewed These Support Documents