Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1347
Views
5
Helpful
2
Replies

S2S with Azure not working (MM_WAIT_MSG2 / Duplicate entry already in Tunnel Manager)

Go to solution
nikhil_pawar
Level 1
Level 1

‎09-17-2017 01:36 AM - edited ‎03-12-2019 04:32 AM

Hi ,

 

We have this ASA 5512x running 9.6(3)1 . We are trying to build S2S vpn tunnel with Azure cloud . 

The phase1 is not coming up . Debug logs are as below . Also pasting the config on ASA at our end.

------------------------------------------------------------------------------------

ASA5512-VPNGW1# debug crypto ikev1 255
ASA5512-VPNGW1# debug crypto ikev1 255
ASA5512-VPNGW1# debug crypto ike-common 255
ASA5512-VPNGW1# Sep 15 17:36:24 [IKE COMMON DEBUG]Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = azure-crypto-map. Map Sequence Number = 5.
Sep 15 17:36:24 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Sep 15 17:36:24 [IKEv1]IP = x.x.95.8, IKE Initiator: New Phase 1, Intf INSIDE, IKE Peer x.x.95.8 local Proxy Address 10.11.0.0, remote Proxy Address 10.100.0.0, Crypto map (azure-crypto-map)
Sep 15 17:36:24 [IKEv1 DEBUG]IP = x.x.95.8, constructing ISAKMP SA payload
Sep 15 17:36:24 [IKEv1 DEBUG]IP = x.x.95.8, constructing NAT-Traversal VID ver 02 payload
Sep 15 17:36:24 [IKEv1 DEBUG]IP = x.x.95.8, constructing NAT-Traversal VID ver 03 payload
Sep 15 17:36:24 [IKEv1 DEBUG]IP = x.x.95.8, constructing NAT-Traversal VID ver RFC payload
Sep 15 17:36:24 [IKEv1 DEBUG]IP = x.x.95.8, constructing Fragmentation VID + extended capabilities payload
Sep 15 17:36:24 [IKEv1]IP = x.x.95.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364

SENDING PACKET to x.x.95.8
ISAKMP Header
Initiator COOKIE: d4 b8 ba 9e 51 d8 3c 06
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 364
Sep 15 17:36:27 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
Sep 15 17:36:32 [IKEv1]IP = x.x.95.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364

ISAKMP Header
Initiator COOKIE: d4 b8 ba 9e 51 d8 3c 06
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 364
Sep 15 17:36:33 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
Sep 15 17:36:40 [IKEv1]IP = x.x.95.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364

ISAKMP Header
Initiator COOKIE: d4 b8 ba 9e 51 d8 3c 06
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 364
Sep 15 17:36:48 [IKEv1]IP = x.x.95.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364

ISAKMP Header
Initiator COOKIE: d4 b8 ba 9e 51 d8 3c 06
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 364
Sep 15 17:36:56 [IKEv1 DEBUG]IP = x.x.95.8, IKE MM Initiator FSM error history (struct &0x00002aaac24970f0) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Sep 15 17:36:56 [IKEv1 DEBUG]IP = x.x.95.8, IKE SA MM:9ebab8d4 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Sep 15 17:36:56 [IKEv1 DEBUG]IP = x.x.95.8, sending delete/delete with reason message
Sep 15 17:36:56 [IKE COMMON DEBUG]IKEv1 was unsuccessful at setting up a tunnel. Map Tag = azure-crypto-map. Map Sequence Number = 5.
Sep 15 17:36:56 [IKE COMMON DEBUG]Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= azure-crypto-map. Map Sequence Number = 5.
Sep 15 17:36:56 [IKE COMMON DEBUG]Tunnel Manager Removed entry. Map Tag = azure-crypto-map. Map Sequence Number = 5.

---------------------------------------------------------------------------------------

Configuration on ASA 

object-group network azure-networks
network-object 10.100.0.0 255.252.0.0

object-group network onprem-networks
network-object object Wireless-Vlan
network-object object Server-Vlan

sysopt connection tcpmss 1350

access-list OUTSIDE_access_in extended permit ip object-group onprem-networks object-group azure-networks

nat (INSIDE,OUTSIDE) source static onprem-networks onprem-networks destination static azure-networks azure-networks

access-group OUTSIDE_access_in in interface OUTSIDE

crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 102400000

crypto map azure-crypto-map 5 match address OUTSIDE_access_in
crypto map azure-crypto-map 5 set peer x.x.95.8
crypto map azure-crypto-map 5 set ikev1 transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface OUTSIDE

crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800

crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400

crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400

crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400

crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400

crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400

crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

tunnel-group x.x.95.8 type ipsec-l2l
tunnel-group x.x.95.8 ipsec-attributes
ikev1 pre-shared-key ****

 

-----------------------------------------------------------------------

 

Regards,

Nikhil

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nikhil_pawar
Level 1
Level 1

‎09-18-2017 09:35 AM

Hi Guys, 

 

Closing this post , as the issue was from ISP side as they had block rule for ESP traffic (UDP/500).

View solution in original post

2 Replies 2

Go to solution
nikhil_pawar
Level 1
Level 1

‎09-18-2017 09:35 AM

Hi Guys, 

 

Closing this post , as the issue was from ISP side as they had block rule for ESP traffic (UDP/500).

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to nikhil_pawar

‎09-18-2017 11:16 AM

Great. Please remember to rate useful posts 
0 Helpful
Customers Also Viewed These Support Documents