Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Azure site-to-site VPN disconnects at random

Hello. We've got a new DC and terminal server running in Azure and connected to our office via Site-to-Site VPN using our Cisco ASA (ASDM version 7.7(1), ASA version 9.1(1). We are noticing at random times throughout the day, we appear to be losing our connection to Azure. I'm posting my running config here to see if anyone can spot what might be causing the problem. Note that I configured sysopt connection preserve-vpn-flows already.

Result of the command: "show running-config"
: Saved
:
ASA Version 9.1(1)
!
hostname JICLASA
enable password XXXXXXXXXXXXXXXX encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XXXXXXXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
 switchport trunk allowed vlan 3
 switchport trunk native vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 50.X.X.X 255.255.255.248
!
boot system disk0:/asa911-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 8.8.4.4
object network obj-192.168.1.0
 subnet 192.168.1.0 255.255.255.0
object network obj-10.0.0.0
 subnet 10.0.0.0 255.255.0.0
object service obj-tcp-eq-3393
 service tcp destination eq 3393
object network obj-192.168.1.103
 host 192.168.1.103
object service obj-tcp-eq-64424
 service tcp destination eq 64424
object network obj-192.168.1.20
 host 192.168.1.20
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj_any-01
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_10.0.0.0_16
 subnet 10.0.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object-group service CustomService tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service CustomService2 tcp
 port-object eq 64424
object-group network azure-networks
 description Azure-Virtual-Network
 network-object 10.0.0.0 255.255.0.0
object-group network onprem-networks
 description On-premises Network
 network-object 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip object-group onprem-networks object-group azure-networks
access-list outside_nat extended permit tcp any4 host 50.x.x.x eq 64424
access-list DMZ_access_in extended permit ip any4 any4
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list outside_access_in remark Ping
access-list outside_access_in extended permit icmp any4 any4
access-list outside_access_in remark Migration: End of expansion
access-list outside_access_in remark Login for Fran Veal (Accountant)
access-list outside_access_in extended permit tcp any4 host 192.168.1.103 eq 3393
access-list outside_access_in remark New Port for Remote Connections from homes
access-list outside_access_in extended permit tcp any4 host 192.168.1.20 eq 64424
pager lines 24
logging enable
logging buffer-size 1000000
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-771.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.0.0.0 obj-10.0.0.0 no-proxy-arp route-lookup
nat (outside,inside) source dynamic any interface destination static interface obj-192.168.1.103 service obj-tcp-eq-3393 obj-tcp-eq-3393
nat (outside,inside) source dynamic any interface destination static interface obj-192.168.1.20 service obj-tcp-eq-64424 obj-tcp-eq-64424
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.0.0.0_16 NETWORK_OBJ_10.0.0.0_16 no-proxy-arp route-lookup
nat (inside,outside) source static onprem-networks onprem-networks destination static azure-networks azure-networks
!
object network obj-192.168.1.103
 nat (inside,outside) static interface service tcp 3393 3393
object network obj-192.168.1.20
 nat (inside,outside) static interface service tcp 64424 64424
object network obj_any
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.x.x.x 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto map outside_cryptomap 1 match address azure-vpn-acl
crypto map outside_cryptomap 1 set peer 52.x.x.x
crypto map outside_cryptomap 1 set ikev1 transform-set azure-ipsec-proposal-set ESP-AES-128-SHA ESP-3DES-SHA-TRANS
crypto map outside_cryptomap interface outside
crypto ca trustpool policy
crypto ikev2 enable inside
crypto ikev2 enable outside
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
dhcpd domain JICL.local
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_52.x.x.x internal
group-policy GroupPolicy_52.x.x.x attributes
 vpn-tunnel-protocol ikev1
username jicladm password XXXXXXXXXXXX encrypted
username admin password XXXXXXXXXXXXX encrypted privilege 15
username SysCorp password XXXXXXXXXXXXX encrypted privilege 15
username SysAdmin password XXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group 52.x.x.x type ipsec-l2l
tunnel-group 52.x.x.x general-attributes
 default-group-policy GroupPolicy_52.x.x.x
tunnel-group 52.x.x.x ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
no tunnel-group-map enable ou
tunnel-group-map default-group 52.x.x.x
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:af5284a98faaaf749b35433a148076de
: end

Everyone's tags (1)
1 REPLY
VIP Purple

What model ASA is this?

What model ASA is this?

79
Views
0
Helpful
1
Replies