cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2379
Views
5
Helpful
7
Replies

Azure S2S VPN with Cisco ASA ASA Version 9.8(2) hosted on Firepower 2110 Failed

TED24
Level 1
Level 1

Hello,

I need your help.

We want to setup Azure S2S VPN tunnel with local Cisco Adaptive Security Appliance Software Version 9.8(2) which is hosted on on Firepower Extensible Operating System Version 2.2(2.52) Hardware:   FPR-2110. On Azure connection status VPN still in Connecting state and 0B Data in - 0B Data Out.

 

Azure S2S setting link : https://docs.microsoft.com/fr-fr/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal#gatewaysubnet

Cisco ASA VPN setting link : https://docs.microsoft.com/fr-fr/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa#simple-debugging-commands

 

ASA VPN troubleshooting command:

FIREPOWER2110# debug crypto ikev2 protocol
FIREPOWER2110#
FIREPOWER2110#
FIREPOWER2110# no IKEv2-PROTO-1: (600): Failed to find a matching policy
IKEv2-PROTO-1: (600): Received Policies:
IKEv2-PROTO-1: (600): Failed to find a matching policy
IKEv2-PROTO-1: (600): Expected Policies:
IKEv2-PROTO-1: (600): Failed to find a matching policy
IKEv2-PROTO-1: (600):
IKEv2-PROTO-1: (600): Initial exchange failed
IKEv2-PROTO-1: (600): Initial exchange failed
IKEv2-PROTO-1: (921): Failed to find a matching policy
IKEv2-PROTO-1: (921): Received Policies:
IKEv2-PROTO-1: (921): Failed to find a matching policy
IKEv2-PROTO-1: (921): Expected Policies:
IKEv2-PROTO-1: (921): Failed to find a matching policy
IKEv2-PROTO-1: (921):
IKEv2-PROTO-1: (921): Initial exchange failed
IKEv2-PROTO-1: (921): Initial exchange failed

 

FIREPOWER2110# debug crypto ikev2 timers
FIREPOWER2110#
FIREPOWER2110#
FIREPOWER2110# IKEv2-TIMER: Setting an IKEv2 timer of type DPD Timer for 10 seconds with 0% jitter
IKEv2-TIMER: Created an IKEv2 timer of type Parent SA rekey
IKEv2-TIMER: Created an IKEv2 timer of type Parent SA Lifetime
IKEv2-TIMER: Created an IKEv2 timer of type Wait for Auth Msg Timer
IKEv2-TIMER: Created an IKEv2 timer of type External service timeout
IKEv2-TIMER: Setting an IKEv2 timer of type External service timeout for 25 seconds with 0% jitter
IKEv2-TIMER: Destroying an IKEv2 timer of type External service timeout
IKEv2-TIMER: Created an IKEv2 timer of type Retransmission timer
IKEv2-TIMER: Created an IKEv2 timer of type Delete Neg Ctx timer
IKEv2-TIMER: Destroying an IKEv2 timer of type Retransmission timer
IKEv2-TIMER: Destroying an IKEv2 timer of type Delete Neg Ctx timer
IKEv2-TIMER: Destroying an IKEv2 timer of type Wait for Auth Msg Timer
IKEv2-TIMER: Destroying an IKEv2 timer of type Parent SA rekey
IKEv2-TIMER: Destroying an IKEv2 timer of type Parent SA Lifetime
IKEv2-TIMER: Setting an IKEv2 timer of type DPD Timer for 10 seconds with 0% jitter
IKEv2-TIMER: Setting an IKEv2 timer of type DPD Timer for 10 seconds with 0% jitter
IKEv2-TIMER: Setting an IKEv2 timer of type DPD Timer for 10 seconds with 0% jitter
IKEv2-TIMER: Setting an IKEv2 timer of type DPD Timer for 10 seconds with 0% jitter
IKEv2-TIMER: Setting an IKEv2 timer of type DPD Timer for 10 seconds with 0% jitter
IKEv2-TIMER: Setting an IKEv2 timer of type DPD Timer for 10 seconds with 0% jitter

 

 

FIREPOWER2110# show crypto ikev2 stats

Global IKEv2 Statistics
  Active Tunnels:                          0
  Previous Tunnels:                        0
  In Octets:                         6741260
  In Packets:                          10873
  In Drop Packets:                         0
  In Drop Fragments:                       0
  In Notifys:                          21746
  In P2 Exchange:                          0
  In P2 Exchange Invalids:                 0
  In P2 Exchange Rejects:                  0
  In IPSEC Delete:                         0
  In IKE Delete:                           0
  Out Octets:                         391428
  Out Packets:                         10873
  Out Drop Packets:                        0
  Out Drop Fragments:                      0
  Out Notifys:                         10873
  Out P2 Exchange:                         0
  Out P2 Exchange Invalids:                0
  Out P2 Exchange Rejects:                 0
  Out IPSEC Delete:                        0
  Out IKE Delete:                          0
  SAs Locally Initiated:                   0
  SAs Locally Initiated Failed:            0
  SAs Remotely Initiated:                  0
  SAs Remotely Initiated Failed:       10873

7 Replies 7

Dennis Mink
VIP Alumni
VIP Alumni

double check Ikev2 parameters at both ends: PSK, hash, DH group and lifetime, they need to match. i am not seeing phase 1 established in your case. so check and double check

Please remember to rate useful posts, by clicking on the stars below.

Hi @Dennis Mink,

We have not any possibility to check PSk, hash, DH group and lifetime on Azure side.

What is the good or best ASA S2S VPN configuration that you suggest to me.

A methode which run in another situation or case. Any link or file will be appreciate.

Have you tried following this config guide:

 

https://supportforums.cisco.com/t5/security-blogs/site-to-site-vpn-between-cisco-asa-and-microsoft-azure-virtual/ba-p/3099317

 

That document has both ASA and Azure side configurations to be made.

Hi Rahul,
Thanks for your link. I follow it and I am near of the solution.
After all configuration configuration we can see that VPN is connected by these commands:

#show crypto isakmp
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 40.115.XX.XX
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE


On Azure side we see Connected Status with Data out traffic.


I created a virtual machine on Azure and I am unable to ping my local network with this virtual machine. So I continue my analysis with below command:

#packet-tracer input Inside icmp Local_machine 8 0 Azure_VM detailed

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

Good results from Inside side


and next I switch packet tracer direction with Outside interface

#packet-tracer input Outside icmp Azure_VM 8 0 Local_machine detailed

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xff9d3f1950, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=18, user_data=0x1d0d7d4, cs_id=0xffe1ed0690, reverse, flags=0x0, protocol=0
src ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=10.128.3.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=Outside, output_ifc=any


Someone can help me to find and solve this issue ?

I follow this link:

https://community.cisco.com/t5/security-blogs/site-to-site-vpn-between-cisco-asa-and-microsoft-azure-virtual/ba-p/3101421


Paste the full output for 

"packet-tracer input Inside icmp Local_machine 8 0 Azure_VM detailed"

 

Also change your second packet tracer command to the below (ASA 9.9 and above):

"packet-tracer input Outside icmp Azure_VM 8 0 Local_machine detailed decrypted

 

Hi Rahul,
Here requested output:
# packet-tracer input Inside icmp 192.168.0.18 8 0 10.5.0.4 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static Inside-net Inside-net destination static azure-networks azure-networks
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.5.0.4/0 to 10.5.0.4/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 102 in interface Inside
access-list 102 extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffdc6b3dd0, priority=13, domain=permit, deny=false
hits=152098567, user_data=0xffc0c06000, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static Inside-net Inside-net destination static azure-networks azure-networks
Additional Information:
Static translate 192.168.0.18/0 to 192.168.0.18/0
Forward Flow based lookup yields rule:
in id=0xffd8804f40, priority=6, domain=nat, deny=false
hits=2, user_data=0xff9d637ad0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.16, mask=255.255.255.248, port=0, tag=any
dst ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=Outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffd53521b0, priority=0, domain=nat-per-session, deny=true
hits=140453612, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffdc472d80, priority=0, domain=inspect-ip-options, deny=true
hits=165062661, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffd367bd00, priority=70, domain=inspect-icmp, deny=false
hits=29493755, user_data=0xffd3679f50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffdc472590, priority=66, domain=inspect-icmp-error, deny=false
hits=29613443, user_data=0xffdc471b10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xffde06d4e0, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x5ee8b4, cs_id=0xffe1ed0690, reverse, flags=0x0, protocol=0
src ip/id=192.168.0.16, mask=255.255.255.248, port=0, tag=any
dst ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Outside

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) source static Inside-net Inside-net destination static azure-networks azure-networks
Additional Information:
Forward Flow based lookup yields rule:
out id=0xffd8c5ab60, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0xff9d637bd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.16, mask=255.255.255.248, port=0, tag=any
dst ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=Inside, output_ifc=Outside

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffdd6b8b10, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=3, user_data=0x5f0d8c, cs_id=0xffe1ed0690, reverse, flags=0x0, protocol=0
src ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=192.168.0.16, mask=255.255.255.248, port=0, tag=any, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffd53521b0, priority=0, domain=nat-per-session, deny=true
hits=140453614, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xffdc358630, priority=0, domain=inspect-ip-options, deny=true
hits=184812210, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 195506047, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

===============================================

# packet-tracer input Outside icmp 10.5.0.4 8 0 192.168.0.18$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static Inside-net Inside-net destination static azure-networks azure-networks
Additional Information:
NAT divert to egress interface Inside
Untranslate 192.168.0.18/0 to 192.168.0.18/0

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffd55f1230, priority=11, domain=permit, deny=true
hits=22311171, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Outside, output_ifc=any

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule