cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1996
Views
25
Helpful
3
Replies

VPN from CISCO ASA 5530 8.3(2) to Azure reset every 1 minute

sistemaspcsnet
Level 1
Level 1

Hello, 

I have a VPN between my on premise servers and MS azure and it is disconnected every one minute more or less.

I have attached a debug file generated into the ASDM.

192.168.213.0 is the Azure Network and 10.xx.x.x are the on premise networks.

I don´t know why this is happening:

7|Jul 22 2014|14:41:21|713906|||||Ignoring msg to mark SA with dsID 255590400 dead because SA deleted
4|Jul 22 2014|14:41:21|113019|||||Group = AZ.UR.E.IP, Username = AZ.UR.E.IP, IP = AZ.UR.E.IP, Session disconnected. Session Type: IPsec, Duration: 0h:00m:58s, Bytes xmt: 4438, Bytes rcv: 7604, Reason: User Requested
5|Jul 22 2014|14:41:21|713259|||||Group = AZ.UR.E.IP, IP = AZ.UR.E.IP, Session is being torn down. Reason: User Requested

 

Any idea?
The configuration is the default configuration provided by azure.


Thanks.

3 Replies 3

sistemaspcsnet
Level 1
Level 1

Hello,
Finally I have solved the issue, is mandatory have the same networks in both extremes.
Local networks in azure have to be exactly the same in the crypto map ACL of the ASA 8.3 device
Like these lines :
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
crypto map OUTSIDE_map 20 match address azure-vpn-acl

My problem was the follwing, I had in the azure local networks 10.50.0.0/24 and 10.50.0.50/32 into the  ASA acl cyptomap and it produced disconnections every one minute.

 

 

 

This solution worked great for us as well with an ASA 5512 running 9.3(1) firmware.  The virtual networks created in Azure didn't match up with the networks on the ASA.  Since we couldn't just delete the virtual network address space in Azure we had to completely blow away the Virtual Network in Azure using this page: 

http://fabriccontroller.net/blog/posts/solving-the-virtual-network-myvnet-is-in-use-and-cannot-be-deleted-error-when-deleting-a-windows-azure-virtual-network/

Once the network was rebuilt in Azure and the networks on the ASA and Azure matched up, the VPN stayed up longer than 60 seconds (1 minute).

This solution also worked for me on 9.4(4)5.

There was a single /29 network specified on the Azure LNG that wasn't specified on the Crypto Map on the ASA.

 

Thanks.