cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
7962
Views
5
Helpful
6
Replies
johnsmunoz
Beginner

Site-To-Site VPN not passing traffic between each other.

I have two ASA's setup.

One 5520 on our premises and one ASAv in Azure

On-premise inside range is 10.33.0.0/16 outside ip 12.x.x.x

Azure range is 10.39.0.0/16 outside ip 13.x.x.x

I'm able to establish a VPN session between the two units

but if I try and ping an on-premise IP from azure I'm getting this error on the on-premise ASA

Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 10.33.0.0/255.255.0.0/0/0 on interface outside
QM FSM error (P2 struct &0x6f0e1ab0, mess id 0xbf9f4d96)!
Removing peer from correlator table failed, no match!

On the Azure ASAv I have this access list

access-list management_cryptomap_1 extended permit ip any object 10.33.0.0

On the on-premises ASA I have this access list

access-list outside_cryptomap extended permit ip any object 10.39.0.0

I'm at a loss what at what I'm doing wrong.  Could someone point me in the error of my ways?

1 ACCEPTED SOLUTION

Accepted Solutions
Peter Koltl
Frequent Contributor

nat (inside,outside) source static onprem-networks onprem-networks destination static Azure-Virtual-Network-16 Azure-Virtual-Network-16 no-proxy-arp route-lookup


Don't ping from ASA, ping from LAN IP addresses.

View solution in original post

6 REPLIES 6
Rahul Govindan
Advocate

Your ACL should be between 10.33.0.0 and 10.39.0.0 networks and vice versa. You currently have ACL's defined between "any" and 10.33.0.0 and "any" and 10.39.0.0. Change it so that the ACL reflects only the traffic that you want to send across the tunnel.

Thanks Rahul,

So your local ASA is getting a proposal to build a tunnel with ASAv side (remote) proxy as 10.39.100.100/32 and Local proxy as 12.x.x.x/32.

Group = 13.x.x.x, IP = 13.x.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.39.100.100/255.255.255.255/0/0 local proxy 12.x.x.x/255.255.255.255/0/0 on interface outside

If this is how you want the proxies to be, then your local ASA should have the ACL with the same proxies like below:

access-list outside_cryptomap extended permit ip host 12.x.x.x host 10.39.100.100

Thanks for all your help.  I've got both side connected to the vpn tunnel now.  

From the azure site I'm able to ping our on-premise computers but I can't to the reverse.

on the 10.39.0.0 ASAv I'm able to ping 10.33.40.10 but from the remote 10.33.0.0 asa I can't ping that same IP.

I'm not seeing any failures on either log.  

Routes are currently 0.0.0.0 0.0.0.0 "next hop" outside 

I'm so close to being done with this project, I'm just not sure where I'm going wrong.

attached are excerpts from the current configs on both systems 

Johnsmunoz,

Did you ever figure this one out?  I am having the exact same problem, tunnel is up, I can ping both sides of it from the azure asa, but for the life of me I cannot get traffic to pass.  I've set up two L2L tunnels in the last two weeks with no problem, but I double checked and triple checked and everything is exactly the same on both sides but I can't get it to work...

Peter Koltl
Frequent Contributor

nat (inside,outside) source static onprem-networks onprem-networks destination static Azure-Virtual-Network-16 Azure-Virtual-Network-16 no-proxy-arp route-lookup


Don't ping from ASA, ping from LAN IP addresses.

View solution in original post

Content for Community-Ad