08-27-2018 12:35 PM
Hello All,
I need your support for my Azure to Cisco S2S VPN.
After all configuration configuration we can see that VPN is connected by these commands:
#show crypto isakmp
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 40.115.XX.XX
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
On Azure side we see Connected Status with Data out traffic.
I created a virtual machine on Azure and I am unable to ping my local network with this virtual machine. So I continue my analysis with below command:
#packet-tracer input Inside icmp Local_machine 8 0 Azure_VM detailed
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
Good results from Inside side
and next I switch packet tracer direction with Outside interface
#packet-tracer input Outside icmp Azure_VM 8 0 Local_machine detailed
Result:
input-interface: Outside
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xff9d3f1950, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=18, user_data=0x1d0d7d4, cs_id=0xffe1ed0690, reverse, flags=0x0, protocol=0
src ip/id=10.5.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=10.128.3.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=Outside, output_ifc=any
Someone can help me to find and solve this issue ?
I follow this link:
08-30-2018 07:08 AM
Hi TED24,
We would need to take a look at "show crypto ipsec sa" to confirm whether or not there are decaps coming in and no encaps going out to Azure. If that's the case we would probably want te take a look at internal routes to set, or your NAT configuration. Both could prevent the return traffic from getting to/through your firewall.
Please, let me know the result.
08-30-2018 07:32 AM
08-30-2018 09:08 AM
Allright, thanks.
Due to the output below we can see there's no traffic being send over your VPN tunnel;
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
no Errors:
#send errors: 0, #recv errors: 0
So, you would need to tell more about which traffic you're trying to test with. What are the details about the session you're trying to set up?
The ASA site seems to be the responder, so I doubt your testing session is even reaching the FW. Do you route 10.5.0.0/16 towards your firewall from the internal network? What about your NAT configuration, is no-NAT (or NAT exempt) in place?
Please give some more information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide