Friday, June 29, 2018

Cisco ASA L2L VPN - Phase 1 and 2 up with encaps/encrypts. No decaps or decrypts.

New VPN setup where we are running into an issue where phase 1 and phase 2 tunnels come up. No traffic is flowing through from either direction. This is between an ASA5505 and an Azure VPN Gateway. I have tried checking some crypto debugs and checking the logs but nothing stands out as an issue. Shows phase 1 and phase 2 coming up without a problem.

Here is a show crypto ipsec sa

https://i.imgur.com/u4liShp.png

Here are the relevant crypto config commands

crypto map VPNCRYPTOMAP 1 match address azure-vpn-acl2 crypto map VPNCRYPTOMAP 1 set peer x.x.x.x crypto map VPNCRYPTOMAP 1 set ikev1 transform-set azure-ipsec-proposal-set crypto map VPNCRYPTOMAP 1 set security-association lifetime seconds 3600 crypto map VPNCRYPTOMAP 1 set security-association lifetime kilobytes 102400000 crypto map VPNCRYPTOMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map VPNCRYPTOMAP interface ATT_OUTSIDE ! crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac ! crypto ikev1 policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! access-list azure-vpn-acl2 extended permit ip 10.24.0.0 255.255.255.0 10.50.0.0 255.255.0.0 ! nat (INSIDE_LAN,ATT_OUTSIDE) source static onprem-networks onprem-networks destination static azure-networks azure-networks no-proxy-arp route-lookup ! object-group network azure-networks description *** Azure-Virtual-Network *** network-object 10.50.0.0 255.255.0.0 ! object-group network onprem-networks description *** On-premises Networks *** network-object 10.24.0.0 255.255.255.0

I will note this was up and running. AnyConnect was setup with the ASDM wizard on this ASA5505 which was verified that the IPsec VPN was still up and running without issue and AnyConnect access was working as expected. Some time after this seemed to have stopped working.

What I have verified:

  • Phase 1 and Phase 2 tunnels come up
  • Route for VPN peer and remote subnet out the specific interface we want
  • Ran capture and verified I'm seeing IPsec traffic to and from the public IPs of the VPN peers

Any thoughts?



at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)