Hi @Dennis Mink,

We have not any possibility to check PSk, hash, DH group and lifetime on Azure side.

What is the good or best ASA S2S VPN configuration that you suggest to me.

A methode which run in another situation or case. Any link or file will be appreciate.

Have you tried following this config guide:

 

https://supportforums.cisco.com/t5/security-blogs/site-to-site-vpn-between-cisco-asa-and-microsoft-azure-virtual/ba-p/3099317

 

That document has both ASA and Azure side configurations to be made.

Hi Rahul,
Thanks for your link. I follow it and I am near of the solution.
After all configuration configuration we can see that VPN is connected by these commands:

#show crypto isakmp
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 40.115.XX.XX
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE


On Azure side we see Connected Status with Data out traffic.


I created a virtual machine on Azure and I am unable to ping my local network with this virtual machine. So I continue my analysis with below command:

#packet-tracer input Inside icmp Local_machine 8 0 Azure_VM detailed

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

Good results from Inside side


and next I switch packet tracer direction with Outside interface

#packet-tracer input Outside icmp Azure_VM 8 0 Local_machine detailed

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xff9d3f1950, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=18, user_data=0x1d0d7d4, cs_id=0xffe1ed0690, reverse, flags=0x0, protocol=0
src ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=10.128.3.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=Outside, output_ifc=any


Someone can help me to find and solve this issue ?

I follow this link:

https://community.cisco.com/t5/security-blogs/site-to-site-vpn-between-cisco-asa-and-microsoft-azure-virtual/ba-p/3101421

Paste the full output for 

"packet-tracer input Inside icmp Local_machine 8 0 Azure_VM detailed"

 

Also change your second packet tracer command to the below (ASA 9.9 and above):

"packet-tracer input Outside icmp Azure_VM 8 0 Local_machine detailed decrypted" 

 

Hi Rahul,
Here requested output:
# packet-tracer input Inside icmp 192.168.0.18 8 0 10.5.0.4 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static Inside-net Inside-net destination static azure-networks azure-networks
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.5.0.4/0 to 10.5.0.4/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 102 in interface Inside
access-list 102 extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffdc6b3dd0, priority=13, domain=permit, deny=false
hits=152098567, user_data=0xffc0c06000, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static Inside-net Inside-net destination static azure-networks azure-networks
Additional Information:
Static translate 192.168.0.18/0 to 192.168.0.18/0
Forward Flow based lookup yields rule:
in id=0xffd8804f40, priority=6, domain=nat, deny=false
hits=2, user_data=0xff9d637ad0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.16, mask=255.255.255.248, port=0, tag=any
dst ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=Outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffd53521b0, priority=0, domain=nat-per-session, deny=true
hits=140453612, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffdc472d80, priority=0, domain=inspect-ip-options, deny=true
hits=165062661, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffd367bd00, priority=70, domain=inspect-icmp, deny=false
hits=29493755, user_data=0xffd3679f50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffdc472590, priority=66, domain=inspect-icmp-error, deny=false
hits=29613443, user_data=0xffdc471b10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xffde06d4e0, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x5ee8b4, cs_id=0xffe1ed0690, reverse, flags=0x0, protocol=0
src ip/id=192.168.0.16, mask=255.255.255.248, port=0, tag=any
dst ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Outside

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) source static Inside-net Inside-net destination static azure-networks azure-networks
Additional Information:
Forward Flow based lookup yields rule:
out id=0xffd8c5ab60, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0xff9d637bd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.16, mask=255.255.255.248, port=0, tag=any
dst ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=Outside

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffdd6b8b10, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=3, user_data=0x5f0d8c, cs_id=0xffe1ed0690, reverse, flags=0x0, protocol=0
src ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=192.168.0.16, mask=255.255.255.248, port=0, tag=any, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffd53521b0, priority=0, domain=nat-per-session, deny=true
hits=140453614, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffdc358630, priority=0, domain=inspect-ip-options, deny=true
hits=184812210, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 195506047, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

===============================================

# packet-tracer input Outside icmp 10.5.0.4 8 0 192.168.0.18$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static Inside-net Inside-net destination static azure-networks azure-networks
Additional Information:
NAT divert to egress interface Inside
Untranslate 192.168.0.18/0 to 192.168.0.18/0

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffd55f1230, priority=11, domain=permit, deny=true
hits=22311171, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Outside, output_ifc=any

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule