Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
12547
Views
0
Helpful
7
Replies

Site-to-Site VPN between Cisco ASA and Microsoft Azure Virtual Network with IKEV2

ermionline
Level 1
Level 1

‎08-24-2017 05:03 AM - edited ‎03-12-2019 04:29 AM

Hi Guys,

 

I just wanted to establish a site-to -site VPN from my ASA to a remote AZURE Virtual network using IKEV2 but i failed to do so. When i run debug crypto ikev2 platfrorm 127, i saw  

Crypto Map: No proxy match on map outside_map seq 1

 

Please Help

3 people had this problem
Labels:
0 Helpful
7 Replies 7

rasmus.elmholt
Level 7
Level 7

‎08-24-2017 04:41 PM

Hi

I had the same problem once.
Have you followed the guide from MS: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa

And used a Route-Based VPN Gateway, and PolicyBased Traffic Selectors?
0 Helpful

ermionline
Level 1
Level 1
In response to rasmus.elmholt

‎08-24-2017 10:39 PM

Yeah, but still same problem

0 Helpful

GioGonza
Level 4
Level 4
In response to ermionline

‎08-30-2017 10:37 AM

Hello @ermionline,

Can you post the complete debug so I can check further, pls.

Have a good one!

Gio
0 Helpful

ermionline
Level 1
Level 1
In response to GioGonza

‎08-30-2017 10:48 PM

Thank You.

I attached the deubg file

 

debug 3.txt
Preview file
32 KB
0 Helpful

GioGonza
Level 4
Level 4
In response to ermionline

‎08-31-2017 06:29 AM

Hey, 

 

I checked the debugs and found this: 

 

IKEv2-PLAT-2: (1772): Crypto Map: No proxy match on map outside_map seq 1
IKEv2-PLAT-2: (1772): Crypto map outside_map seq 22 is incomplete
IKEv2-PROTO-1: (1772): Failed to find a matching policy
IKEv2-PROTO-1: (1772): Received Policies:
ESP: Proposal 1: AES-GCM-256 Don't use ESN

ESP: Proposal 2: AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 3: 3DES SHA96 Don't use ESN

ESP: Proposal 4: AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 5: AES-CBC-128 SHA96 Don't use ESN

ESP: Proposal 6: 3DES SHA256 Don't use ESN

 

The ASA is trying to match the SA with the ACL and it doesn´t find anything related to land in the proper crypto map sequence, also there are the IPSec proposals from the other side. 

 

You need to check the ACL for that particular tunnel and try to match the ESP configuration, after you verify that, try again and if it doesn´t work, upload the debugs one more time. 

 

Have a good one!

 

Gio

0 Helpful

PJ
Level 1
Level 1

‎09-29-2017 12:52 PM

I am seeing the same issues on the Cisco ASA Version 9.1(6)4 to Microsoft Azure VPN. Any updates on this issue?

 

Thanks

0 Helpful

jan_chrillesen
Level 1
Level 1
In response to PJ

‎12-01-2017 01:33 AM

I had the same issue and changing the ESP encryption protocol worked

 

# old config - from Azure template

crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-1

# new config

crypto ipsec ikev2 ipsec-proposal AES-GCM-256
protocol esp encryption aes-gcm-256
protocol esp integrity sha-256

 

# We accept both old and new proposals in case something is changed on the Azure side

crypto map vpn-crypto-map 1 set ikev2 ipsec-proposal AES-256 AES-GCM-256

 

Software 9.8(1) on ASAv

0 Helpful
Customers Also Viewed These Support Documents
Top