Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11730
Views
25
Helpful
39
Replies

Tunnel to Microsoft Azure fails to come up

chance gearhart
Level 1
Level 1

‎02-29-2016 05:08 PM

I was asked to put a second set of eyes on this tunnel for Microsoft Azure and was told that the tunnel could not be established.  It sounded as if Microsoft could see the request, but would be followed by an immediate message from the ASA to close the connection.  I ran a debug and have attached the output.  Any help would be greatly appreciated.

Labels:
Preview file
11 KB
0 Helpful
39 Replies 39

chance gearhart
Level 1
Level 1
In response to Dinesh Moudgil

‎03-01-2016 10:32 AM

Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing SA payload
Mar 01 11:21:11 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 11:21:11 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 11:21:11 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, Oakley proposal is acceptable
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, Received NAT-Traversal RFC VID
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, Received NAT-Traversal ver 02 VID
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, Received Fragmentation VID
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing IKE SA payload
Mar 01 11:21:11 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 11:21:11 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 11:21:11 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, IKE SA Proposal # 1, Transform # 2 acceptable Matches global IKE entry # 9
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, constructing ISAKMP SA payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, constructing NAT-Traversal VID ver RFC payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, constructing Fragmentation VID + extended capabilities payload
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 260
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing ke payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing ISA_KE payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing nonce payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing NAT-Discovery payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, computing NAT Discovery hash
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, processing NAT-Discovery payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, computing NAT Discovery hash
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, constructing ke payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, constructing nonce payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, constructing Cisco Unity VID payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, constructing xauth V6 VID payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, Send IOS VID
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, constructing VID payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, constructing NAT-Discovery payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, computing NAT Discovery hash
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, constructing NAT-Discovery payload
Mar 01 11:21:11 [IKEv1 DEBUG]IP = 104.42.185.111, computing NAT Discovery hash
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, Connection landed on tunnel_group 104.42.185.111
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Generating keys for Responder...
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing ID payload
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing hash payload
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Computing hash for ISAKMP
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, Connection landed on tunnel_group 104.42.185.111
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing ID payload
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing hash payload
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Computing hash for ISAKMP
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing dpd vid payload
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, PHASE 1 COMPLETED
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, Keep-alive type for this connection: None
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, Keep-alives configured on but peer does not support keep-alives (type = None)
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Starting P1 rekey timer: 21600 seconds.
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 368
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing hash payload
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing SA payload
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing nonce payload
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing ID payload
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Received remote IP Proxy Subnet data in ID Payload: Address 10.1.0.0, Mask 255.255.254.0, Protocol 0, Port 0
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing ID payload
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Received local IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask 255.255.0.0, Protocol 0, Port 0
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, QM IsRekeyed old sa not found by addr
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Static Crypto Map check, checking map = partner-map, seq = 1...
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Static Crypto Map check, map = partner-map, seq = 1, ACL does not match proxy IDs src:10.1.0.0 dst:192.168.0.0
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Skipping dynamic map cisco sequence 1: cannot match peerless map when peer found in previous map entry.
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.1.0.0/255.255.254.0/0/0 local proxy 192.168.0.0/255.255.0.0/0/0 on interface outside
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, sending notify message
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing blank hash payload
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing qm hash payload
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, IKE_DECODE SENDING Message (msgid=ed7fbb44) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 432
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, QM FSM error (P2 struct &0x00007fff34f34e60, mess id 0x1)!
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, IKE QM Responder FSM error history (struct &0x00007fff34f34e60) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, sending delete/delete with reason message
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Removing peer from correlator table failed, no match!
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, IKE SA MM:e14aa001 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, IKE SA MM:e14aa001 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, sending delete/delete with reason message
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing blank hash payload
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing IKE delete payload
Mar 01 11:21:11 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing qm hash payload
Mar 01 11:21:11 [IKEv1]IP = 104.42.185.111, IKE_DECODE SENDING Message (msgid=a6699260) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Session is being torn down. Reason: crypto map policy not found
Mar 01 11:21:11 [IKEv1]Ignoring msg to mark SA with dsID 101314560 dead because SA deleted

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to chance gearhart

‎03-01-2016 10:47 AM

I dont see the correct change being made

The azure acl shows 

sh access-list azure-vpn-acl
access-list azure-vpn-acl line 1 extended permit ip 192.168.0.0 255.255.0.0 10.1.0.0 255.255.255.0 log informational interval 300 (hitcnt=0) 0x23d11024

but the logs state

Mar 01 11:21:11 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Received remote IP Proxy Subnet data in ID Payload: Address 10.1.0.0, Mask 255.255.254.0, Protocol 0, Port 0

Can you please confirm whether the mask for 10.1.0.0 is 255.255.254.0 or 255.255.255.0 ?


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

chance gearhart
Level 1
Level 1
In response to Dinesh Moudgil

‎03-01-2016 12:05 PM

OK without getting too excited, I think that fixing the mask may have worked.  Here is my debug output.

Rinchem-AB3-ASAFW/pri/act# debug crypto ikev1 16
Rinchem-AB3-ASAFW/pri/act# Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 372
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing SA payload
Mar 01 13:01:13 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 13:01:13 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 13:01:13 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, Oakley proposal is acceptable
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, Received NAT-Traversal RFC VID
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, Received NAT-Traversal ver 02 VID
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, Received Fragmentation VID
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing VID payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing IKE SA payload
Mar 01 13:01:13 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 13:01:13 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 13:01:13 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, IKE SA Proposal # 1, Transform # 2 acceptable Matches global IKE entry # 9
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, constructing ISAKMP SA payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, constructing NAT-Traversal VID ver RFC payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, constructing Fragmentation VID + extended capabilities payload
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 260
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing ke payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing ISA_KE payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing nonce payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing NAT-Discovery payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, computing NAT Discovery hash
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, processing NAT-Discovery payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, computing NAT Discovery hash
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, constructing ke payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, constructing nonce payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, constructing Cisco Unity VID payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, constructing xauth V6 VID payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, Send IOS VID
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, constructing VID payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, constructing NAT-Discovery payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, computing NAT Discovery hash
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, constructing NAT-Discovery payload
Mar 01 13:01:13 [IKEv1 DEBUG]IP = 104.42.185.111, computing NAT Discovery hash
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, Connection landed on tunnel_group 104.42.185.111
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Generating keys for Responder...
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing ID payload
Mar 01 13:01:13 [IKEv1 DECODE]Group = 104.42.185.111, IP = 104.42.185.111, ID_IPV4_ADDR ID received
104.42.185.111
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing hash payload
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Computing hash for ISAKMP
Mar 01 13:01:13 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, Connection landed on tunnel_group 104.42.185.111
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing ID payload
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing hash payload
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Computing hash for ISAKMP
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing dpd vid payload
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Mar 01 13:01:13 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, PHASE 1 COMPLETED
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, Keep-alive type for this connection: None
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, Keep-alives configured on but peer does not support keep-alives (type = None)
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Starting P1 rekey timer: 21600 seconds.
Mar 01 13:01:13 [IKEv1 DECODE]IP = 104.42.185.111, IKE Responder starting QM: msg id = 00000001
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 368
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing hash payload
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing SA payload
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing nonce payload
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing ID payload
Mar 01 13:01:13 [IKEv1 DECODE]Group = 104.42.185.111, IP = 104.42.185.111, ID_IPV4_ADDR_SUBNET ID received--10.1.0.0--255.255.254.0
Mar 01 13:01:13 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Received remote IP Proxy Subnet data in ID Payload: Address 10.1.0.0, Mask 255.255.254.0, Protocol 0, Port 0
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing ID payload
Mar 01 13:01:13 [IKEv1 DECODE]Group = 104.42.185.111, IP = 104.42.185.111, ID_IPV4_ADDR_SUBNET ID received--192.168.0.0--255.255.0.0
Mar 01 13:01:13 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Received local IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask 255.255.0.0, Protocol 0, Port 0
Mar 01 13:01:13 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, QM IsRekeyed old sa not found by addr
Mar 01 13:01:13 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Static Crypto Map check, checking map = partner-map, seq = 1...
Mar 01 13:01:13 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Static Crypto Map check, map partner-map, seq = 1 is a successful match
Mar 01 13:01:13 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, IKE Remote Peer configured for crypto map: partner-map
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing IPSec SA payload
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, IPSec SA Proposal # 2, Transform # 1 acceptable Matches global IPSec SA entry # 1
Mar 01 13:01:13 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, IKE: requesting SPI!
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, IKE got SPI from key engine: SPI = 0x553d396e
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, oakley constucting quick mode
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing blank hash payload
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing IPSec SA payload
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing IPSec nonce payload
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing proxy ID
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Transmitting Proxy Id:
Remote subnet: 10.1.0.0 Mask 255.255.254.0 Protocol 0 Port 0
Local subnet: 192.168.0.0 mask 255.255.0.0 Protocol 0 Port 0
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, constructing qm hash payload
Mar 01 13:01:13 [IKEv1 DECODE]Group = 104.42.185.111, IP = 104.42.185.111, IKE Responder sending 2nd QM pkt: msg id = 00000001
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, IKE_DECODE SENDING Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Mar 01 13:01:13 [IKEv1]IP = 104.42.185.111, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, processing hash payload
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, loading all IPSEC SAs
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Generating Quick Mode Key!
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, NP encrypt rule look up for crypto map partner-map 1 matching ACL azure-vpn-acl: returned cs_id=2faf6d70; encrypt_rule=2a355070; tunnelFlow_rule=2df42a10
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Generating Quick Mode Key!
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, NP encrypt rule look up for crypto map partner-map 1 matching ACL azure-vpn-acl: returned cs_id=2faf6d70; encrypt_rule=2a355070; tunnelFlow_rule=2df42a10
Mar 01 13:01:13 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, Security negotiation complete for LAN-to-LAN Group (104.42.185.111) Responder, Inbound SPI = 0x553d396e, Outbound SPI = 0x3aad7840
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, IKE got a KEY_ADD msg for SA: SPI = 0x3aad7840
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Pitcher: received KEY_UPDATE, spi 0x553d396e
Mar 01 13:01:13 [IKEv1 DEBUG]Group = 104.42.185.111, IP = 104.42.185.111, Starting P2 rekey timer: 3060 seconds.
Mar 01 13:01:13 [IKEv1]Group = 104.42.185.111, IP = 104.42.185.111, PHASE 2 COMPLETED (msgid=00000001)

0 Helpful

chance gearhart
Level 1
Level 1
In response to chance gearhart

‎03-01-2016 02:11 PM

Well I thought the tunnel was up, but I still can't reach the server sitting on azure.

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to chance gearhart

‎03-01-2016 05:09 PM

Glad to hear the tunnel was up

Can you please send me output of 
show cryptio ipsec sa peer x.x.x.x | in encaps|decaps|ident

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

chance gearhart
Level 1
Level 1
In response to Dinesh Moudgil

‎03-02-2016 07:12 AM

show crypto ipsec sa peer 104.42.185.111 | in encaps|decaps|ident
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.254.0/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to chance gearhart

‎03-02-2016 07:28 AM

Hi,

It seems ASA is not able to encaps the packets.

Could you check the NAT statement and check if you have permitted the correct networks ?

Also check if you correct routing in place for 10.1.0.0/255.255.254.0 network on ASA ?

show asp table routing should point it through the outside interface 

Regards,

Aditya

Please rate helpful posts.

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to chance gearhart

‎03-02-2016 07:45 AM

Hi chance gearhart,

Can you please share the output of the following commands:

show route
packet-tracer input inside icmp 192.168.0.3 8 0 10.1.0.3 detail

Also , if you can tweak natting before taking the above mentioned outputs, that will be great


no nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks

nat (inside,outside) 1 source static onprem-networks onprem-networks destination static azure-networks azure-networks no-proxy-arp route-lookup

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

chance gearhart
Level 1
Level 1
In response to Dinesh Moudgil

‎03-02-2016 08:04 AM

OK I put in those NAT statements and here is the output commands for show route and packet-tracer:

(config)# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 63.225.12.1 to network 0.0.0.0

C 192.168.209.0 255.255.255.0 is directly connected, inside
C 172.16.0.0 255.255.255.0 is directly connected, dmz
S 10.0.0.0 255.0.0.0 [1/0] via 192.168.209.1, inside
C 63.225.12.0 255.255.255.0 is directly connected, outside
C 192.0.2.0 255.255.255.252 is directly connected, lan_fo
S 192.168.207.0 255.255.255.0 [1/0] via 192.168.209.30, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 63.225.12.1, outside
S 192.168.0.0 255.255.0.0 [1/0] via 192.168.209.1, inside
Rinchem-AB3-ASAFW/pri/act(config)# packet-tracer input inside icmp 192.168.0.3 8 0 10.1.0.3 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.0.0.0 255.0.0.0 inside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,any) after-auto source static any any no-proxy-arp
Additional Information:
Static translate 192.168.0.3/0 to 192.168.0.3/0
Forward Flow based lookup yields rule:
in id=0x7fff32f8b320, priority=6, domain=nat, deny=false
hits=26410851, user_data=0x7fff32f88db0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a59ce60, priority=3, domain=permit, deny=false
hits=8086970, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=inside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff299aa190, priority=0, domain=nat-per-session, deny=true
hits=39148068, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a4be300, priority=0, domain=inspect-ip-options, deny=true
hits=67927410, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a4bdc30, priority=66, domain=inspect-icmp-error, deny=false
hits=10088414, user_data=0x7fff2a4bd1a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b810450, priority=50, domain=ids, deny=false
hits=61312447, user_data=0x7fff2b80eaf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b814a10, priority=18, domain=flow-export, deny=false
hits=64406483, user_data=0x7fff2b844500, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (any,any) after-auto source static any any no-proxy-arp
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2a7d2e30, priority=6, domain=nat-reverse, deny=false
hits=8038632, user_data=0x7fff32f88db0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 75457951, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to chance gearhart

‎03-02-2016 08:10 AM

You need to access 10.1.0.0 255.255.255.0 across tunnel but you have a route for 10.0.0.0 255.0.0.0 pointing to inside interface.

Please add "route outside 10.1.0.0 255.255.255.0  63.225.12.1" and let me know how it fares.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

chance gearhart
Level 1
Level 1
In response to Dinesh Moudgil

‎03-02-2016 08:19 AM

Doesn't seem to work

(config)# traceroute 10.1.0.3

Type escape sequence to abort.
Tracing the route to 10.1.0.3

1 63.225.12.1 !N !N !N

(config)# sh route | i 63.225.12.1
Gateway of last resort is 63.225.12.1 to network 0.0.0.0
S 10.1.0.0 255.255.255.0 [1/0] via 63.225.12.1, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 63.225.12.1, outside

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to chance gearhart

‎03-02-2016 08:20 AM

Can you now run the same packet-tracer command and share the output?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

chance gearhart
Level 1
Level 1
In response to Dinesh Moudgil

‎03-02-2016 08:25 AM

(config)# packet-tracer input inside icmp 192.168.0.3 8 0 10.1.0.3 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.0.0 255.255.255.0 outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.0.3/0 to 10.1.0.3/0

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.0.3/0 to 192.168.0.3/0
Forward Flow based lookup yields rule:
in id=0x7fff33f92120, priority=6, domain=nat, deny=false
hits=24, user_data=0x7fff2fae9050, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=10.1.0.0, mask=255.255.254.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff299aa190, priority=0, domain=nat-per-session, deny=true
hits=39177174, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a4be300, priority=0, domain=inspect-ip-options, deny=true
hits=68051544, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a4bdc30, priority=66, domain=inspect-icmp-error, deny=false
hits=10090267, user_data=0x7fff2a4bd1a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b810450, priority=50, domain=ids, deny=false
hits=61402121, user_data=0x7fff2b80eaf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b814a10, priority=18, domain=flow-export, deny=false
hits=64534201, user_data=0x7fff2b844500, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2deee870, priority=70, domain=encrypt, deny=false
hits=7, user_data=0x332b1c, cs_id=0x7fff2faf6d70, reverse, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=10.1.0.0, mask=255.255.254.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2d3e0890, priority=6, domain=nat-reverse, deny=false
hits=7, user_data=0x7fff2fb052b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=10.1.0.0, mask=255.255.254.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 75550318, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_ids
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to chance gearhart

‎03-02-2016 08:30 AM

It does look like it is going through the VPN tunnel now and we are hitting correct nat

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.0.3/0 to 192.168.0.3/0
Forward Flow based lookup yields rule:
in id=0x7fff33f92120, priority=6, domain=nat, deny=false
hits=24, user_data=0x7fff2fae9050, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=10.1.0.0, mask=255.255.254.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2deee870, priority=70, domain=encrypt, deny=false
hits=7, user_data=0x332b1c, cs_id=0x7fff2faf6d70, reverse, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=10.1.0.0, mask=255.255.254.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside

Please run this command
clear crypto ipsec sa counters

Generate some traffic

and then share the output of

show cryptio ipsec sa peer x.x.x.x | in encaps|decaps|ident


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

chance gearhart
Level 1
Level 1
In response to Dinesh Moudgil

‎03-02-2016 08:36 AM

Should simply pinging work?

(config)# clear crypto ipsec sa counters
(config)# show crypto ipsec sa peer 104.42.185.111 | in encaps|decaps|ident
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.254.0/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
Rinchem-AB3-ASAFW/pri/act(config)# ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
(config)# show crypto ipsec sa peer 104.42.185.111 | in encaps|decaps|ident
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.254.0/0/0)
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

0 Helpful
Customers Also Viewed These Support Documents