Re: Azure S2S VPN with Cisco ASA ASA Version 9.8(2) not work properly

TED24 · ‎08-27-2018

Hello All,

I need your support for my Azure to Cisco S2S VPN.

After all configuration configuration we can see that VPN is connected by these commands:

#show crypto isakmp
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 40.115.XX.XX
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

On Azure side we see Connected Status with Data out traffic.

I created a virtual machine on Azure and I am unable to ping my local network with this virtual machine. So I continue my analysis with below command:

#packet-tracer input Inside icmp Local_machine 8 0 Azure_VM detailed

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

Good results from Inside side

and next I switch packet tracer direction with Outside interface

#packet-tracer input Outside icmp Azure_VM 8 0 Local_machine detailed

Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xff9d3f1950, priority=70, domain=ipsec-tunnel-flow, deny=false
        hits=18, user_data=0x1d0d7d4, cs_id=0xffe1ed0690, reverse, flags=0x0, protocol=0
        src ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any
        dst ip/id=10.128.3.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
        input_ifc=Outside, output_ifc=any

Someone can help me to find and solve this issue ?

I follow this link:

https://community.cisco.com/t5/security-blogs/site-to-site-vpn-between-cisco-asa-and-microsoft-azure-virtual/ba-p/3101421

erwindebrouwer · ‎08-30-2018

Hi TED24,

We would need to take a look at "show crypto ipsec sa" to confirm whether or not there are decaps coming in and no encaps going out to Azure. If that's the case we would probably want te take a look at internal routes to set, or your NAT configuration. Both could prevent the return traffic from getting to/through your firewall.

Please, let me know the result.

wabou0001 · ‎08-30-2018

Hi erwindebrouwer,
Here is the output :

interface: Outside
Crypto map tag: azure-crypto-map, seq num: 1, local addr: 213.136.126.130

access-list azure-vpn-acl extended permit ip 10.128.128.0 255.255.254.0 10.5.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.128.128.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (10.5.0.0/255.255.0.0/0/0)
current_peer: 40.115.32.14

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 213.136.126.130/0, remote crypto endpt.: 40.115.32.14/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: D52D8822
current inbound spi : 0217F51C

inbound esp sas:
spi: 0x0217F51C (35124508)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 204541952, crypto-map: azure-crypto-map
sa timing: remaining key lifetime (kB/sec): (97200000/3590)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xD52D8822 (3576530978)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 204541952, crypto-map: azure-crypto-map
sa timing: remaining key lifetime (kB/sec): (97200000/3590)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

erwindebrouwer · ‎08-30-2018

Allright, thanks.

Due to the output below we can see there's no traffic being send over your VPN tunnel;

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

no Errors:

#send errors: 0, #recv errors: 0

So, you would need to tell more about which traffic you're trying to test with. What are the details about the session you're trying to set up?

The ASA site seems to be the responder, so I doubt your testing session is even reaching the FW. Do you route 10.5.0.0/16 towards your firewall from the internal network? What about your NAT configuration, is no-NAT (or NAT exempt) in place?

Please give some more information.