Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1955
Views
0
Helpful
1
Replies

Site to site vpn with cisco ASA and Microsoft Azure

blackswans
Level 1
Level 1

‎08-06-2015 06:58 AM

Hi,

We're trying to establish vpn with azure's nvgre gateway but vpn is not established. Here is the log files any comments?

Regards.


Firewall# IKEv2-PROTO-1: (4):
IKEv2-PROTO-1: Invalid responder's spiIKEv2-PROTO-1: (4): Detected an invalid value in the packet
IKEv2-PROTO-1: (4):
IKEv2-PROTO-1: (4): A supplied parameter is incorrect
IKEv2-PROTO-1: (4):
IKEv2-PROTO-1: (4): Initial exchange failed
IKEv2-PROTO-1: (4): Initial exchange failed
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable.  Local Type = 0.  Local Address = 0.0.0.0.  Remote Type = 0.  Remote Address = 0.0.0.0.  Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PROTO-1: (5):
IKEv2-PROTO-1: Invalid responder's spiIKEv2-PROTO-1: (5): Detected an invalid value in the packet
IKEv2-PROTO-1: (5):
IKEv2-PROTO-1: (5): A supplied parameter is incorrect
IKEv2-PROTO-1: (5):
IKEv2-PROTO-1: (5): Initial exchange failed
IKEv2-PROTO-1: (5): Initial exchange failed
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable.  Local Type = 0.  Local Address = 0.0.0.0.  Remote Type = 0.  Remote Address = 0.0.0.0.  Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PROTO-1: (6):
IKEv2-PROTO-1: Invalid responder's spiIKEv2-PROTO-1: (6): Detected an invalid value in the packet
IKEv2-PROTO-1: (6):
IKEv2-PROTO-1: (6): A supplied parameter is incorrect
IKEv2-PROTO-1: (6):
IKEv2-PROTO-1: (6): Initial exchange failed
IKEv2-PROTO-1: (6): Initial exchange failed
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable.  Local Type = 0.  Local Address = 0.0.0.0.  Remote Type = 0.  Remote Address = 0.0.0.0.  Correlation Peer Index = 0. IPSEC Tunnel Index = 0.


Firewall#

Firewall# IKEv2-PROTO-1: (7):
IKEv2-PROTO-1: Invalid responder's spiIKEv2-PROTO-1: (7): Detected an invalid value in the packet
IKEv2-PROTO-1: (7):
IKEv2-PROTO-1: (7): A supplied parameter is incorrect
IKEv2-PROTO-1: (7):
IKEv2-PROTO-1: (7): Initial exchange failed
IKEv2-PROTO-1: (7): Initial exchange failed
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable.  Local Type = 0.  Local Address = 0.0.0.0.  Remote Type = 0.  Remote Address = 0.0.0.0.  Correlation Peer Index = 0. IPSEC Tunnel Index = 0.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

acalvonu
Level 1
Level 1

‎12-20-2015 10:44 AM

Pls note that if  on the Microsoft Azure side you are using dynamic routing then it will only try to establish the tunnel with the ASA using ikev2 only, it seems to be the case as per the above log/debug

If you are using Ikev1 on the ASA then you must use Static routing on the Azure side to bring the tunnel up with ikev1 without issues

If you definitely need to use dynamic routing for the site to site tunnel, then using ikev2 is the option.

I hope this helps!

0 Helpful
Customers Also Viewed These Support Documents