I need your support for my Azure to Cisco S2S VPN.
After all configuration configuration we can see that VPN is connected by these commands:
#show crypto isakmp IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 40.115.XX.XX Type : L2L Role : responder Rekey : no State : MM_ACTIVE
On Azure side we see Connected Status with Data out traffic.
I created a virtual machine on Azure and I am unable to ping my local network with this virtual machine. So I continue my analysis with below command:
Result: input-interface: Outside input-status: up input-line-status: up output-interface: Inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
We would need to take a look at "show crypto ipsec sa" to confirm whether or not there are decaps coming in and no encaps going out to Azure. If that's the case we would probably want te take a look at internal routes to set, or your NAT configuration. Both could prevent the return traffic from getting to/through your firewall.
So, you would need to tell more about which traffic you're trying to test with. What are the details about the session you're trying to set up?
The ASA site seems to be the responder, so I doubt your testing session is even reaching the FW. Do you route 10.5.0.0/16 towards your firewall from the internal network? What about your NAT configuration, is no-NAT (or NAT exempt) in place?