09-17-2017 01:36 AM - edited 03-12-2019 04:32 AM
Hi ,
We have this ASA 5512x running 9.6(3)1 . We are trying to build S2S vpn tunnel with Azure cloud .
The phase1 is not coming up . Debug logs are as below . Also pasting the config on ASA at our end.
------------------------------------------------------------------------------------
ASA5512-VPNGW1# debug crypto ikev1 255
ASA5512-VPNGW1# debug crypto ikev1 255
ASA5512-VPNGW1# debug crypto ike-common 255
ASA5512-VPNGW1# Sep 15 17:36:24 [IKE COMMON DEBUG]Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = azure-crypto-map. Map Sequence Number = 5.
Sep 15 17:36:24 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Sep 15 17:36:24 [IKEv1]IP = x.x.95.8, IKE Initiator: New Phase 1, Intf INSIDE, IKE Peer x.x.95.8 local Proxy Address 10.11.0.0, remote Proxy Address 10.100.0.0, Crypto map (azure-crypto-map)
Sep 15 17:36:24 [IKEv1 DEBUG]IP = x.x.95.8, constructing ISAKMP SA payload
Sep 15 17:36:24 [IKEv1 DEBUG]IP = x.x.95.8, constructing NAT-Traversal VID ver 02 payload
Sep 15 17:36:24 [IKEv1 DEBUG]IP = x.x.95.8, constructing NAT-Traversal VID ver 03 payload
Sep 15 17:36:24 [IKEv1 DEBUG]IP = x.x.95.8, constructing NAT-Traversal VID ver RFC payload
Sep 15 17:36:24 [IKEv1 DEBUG]IP = x.x.95.8, constructing Fragmentation VID + extended capabilities payload
Sep 15 17:36:24 [IKEv1]IP = x.x.95.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
SENDING PACKET to x.x.95.8
ISAKMP Header
Initiator COOKIE: d4 b8 ba 9e 51 d8 3c 06
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 364
Sep 15 17:36:27 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
Sep 15 17:36:32 [IKEv1]IP = x.x.95.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
ISAKMP Header
Initiator COOKIE: d4 b8 ba 9e 51 d8 3c 06
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 364
Sep 15 17:36:33 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
Sep 15 17:36:40 [IKEv1]IP = x.x.95.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
ISAKMP Header
Initiator COOKIE: d4 b8 ba 9e 51 d8 3c 06
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 364
Sep 15 17:36:48 [IKEv1]IP = x.x.95.8, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 364
ISAKMP Header
Initiator COOKIE: d4 b8 ba 9e 51 d8 3c 06
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 364
Sep 15 17:36:56 [IKEv1 DEBUG]IP = x.x.95.8, IKE MM Initiator FSM error history (struct &0x00002aaac24970f0) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Sep 15 17:36:56 [IKEv1 DEBUG]IP = x.x.95.8, IKE SA MM:9ebab8d4 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Sep 15 17:36:56 [IKEv1 DEBUG]IP = x.x.95.8, sending delete/delete with reason message
Sep 15 17:36:56 [IKE COMMON DEBUG]IKEv1 was unsuccessful at setting up a tunnel. Map Tag = azure-crypto-map. Map Sequence Number = 5.
Sep 15 17:36:56 [IKE COMMON DEBUG]Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= azure-crypto-map. Map Sequence Number = 5.
Sep 15 17:36:56 [IKE COMMON DEBUG]Tunnel Manager Removed entry. Map Tag = azure-crypto-map. Map Sequence Number = 5.
---------------------------------------------------------------------------------------
Configuration on ASA
object-group network azure-networks
network-object 10.100.0.0 255.252.0.0
object-group network onprem-networks
network-object object Wireless-Vlan
network-object object Server-Vlan
sysopt connection tcpmss 1350
access-list OUTSIDE_access_in extended permit ip object-group onprem-networks object-group azure-networks
nat (INSIDE,OUTSIDE) source static onprem-networks onprem-networks destination static azure-networks azure-networks
access-group OUTSIDE_access_in in interface OUTSIDE
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto map azure-crypto-map 5 match address OUTSIDE_access_in
crypto map azure-crypto-map 5 set peer x.x.95.8
crypto map azure-crypto-map 5 set ikev1 transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface OUTSIDE
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group x.x.95.8 type ipsec-l2l
tunnel-group x.x.95.8 ipsec-attributes
ikev1 pre-shared-key ****
-----------------------------------------------------------------------
Regards,
Nikhil
Solved! Go to Solution.
09-18-2017 09:35 AM
Hi Guys,
Closing this post , as the issue was from ISP side as they had block rule for ESP traffic (UDP/500).
09-18-2017 09:35 AM
Hi Guys,
Closing this post , as the issue was from ISP side as they had block rule for ESP traffic (UDP/500).
09-18-2017 11:16 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide