Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1660
Views
0
Helpful
3
Replies

Site to Site VPN between Azure and Cisco ASA

antoniokida
Level 1
Level 1

‎09-13-2020 01:33 PM

Hello Guys,

 

Hopefully, you can provide me some guidance, I'm trying to set up a Site to Site VPN between Azure (I) and Cisco ASA (Customer), on the Azure side I created it as Route based and sent the script to the customer, however, I'm not able to get the VPN connected. On the Azure side first, it showed an error saying there was a mismatch in the IPSEC/IKE policy. Checking the logs on Azure I saw this mismatch error and asked the Customer to verify the policy, I think he did a change because later on the logs the policy mismatch error was no longer there, now I saw the tunnel was being created but then it gets closed:

 

[LOCAL_MSG] IKE Tunnel created for tunnelId 0x1

...

[LOCAL_MSG] IKE Tunnel closed for tunnelId 0x1 with status Main mode SA lifetime expired or peer sent a main mode delete.

 

Can you help me see why the tunnel is being close, I'm attaching the logs.

 

PS. I have asked the customer to provide me their configuration so I can check on my own and make sure the parameters match. Also, I have asked for the debug info for both Phase1 and Phase2.

 

Thanks in advance!!

Antonio

 

 

Labels:
Preview file
23 KB
0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎09-14-2020 01:32 AM

 

 - Check if this guide can help you :

              https://www.petenetlive.com/KB/Article/0001166

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

antoniokida
Level 1
Level 1
In response to marce1000

‎09-14-2020 06:52 AM

Hello Guys, it appears that the remote side does not support tunnel-group <public-ip> "type ipsec-l2l"

 

At least is not showing the "type" command on the CLI, do you know if there are restrictions to this command?

 

Thanks

0 Helpful

marce1000
VIP
VIP
In response to antoniokida

‎09-14-2020 09:14 AM

 

 - Check if this guide can help you :

              https://community.cisco.com/t5/security-documents/configure-l2tp-over-ipsec-using-cisco-asa-8-4-and-local/ta-p/3139257

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents