We have at least one dozen of different network ranges in on premise network behind the ASA.
We started the communication between on premise and Azure with one full /24 network and it worked fine, no problems at this point. So we added an extra HOST of different network and the problems began, we saw these messages in the ASA device log:
7|Jul 22 2014|14:41:21|713906|||||Ignoring msg to mark SA with dsID 255590400 dead because SA deleted 4|Jul 22 2014|14:41:21|113019|||||Group = AZ.UR.E.IP, Username = AZ.UR.E.IP, IP = AZ.UR.E.IP, Session disconnected. Session Type: IPsec, Duration: 0h:00m:58s, Bytes xmt: 4438, Bytes rcv: 7604, Reason: User Requested 5|Jul 22 2014|14:41:21|713259|||||Group = AZ.UR.E.IP, IP = AZ.UR.E.IP, Session is being torn down. Reason: User Requested
As always everything looked fine, no problems in the config in our ASA configuration, after a few hours of testing, we noticed that it is mandatory to have the same networks in both extremes of VPN.
Local networks in Azure have to be exactly the same as in the crypto map ACL of the ASA 8.3 device
Like these lines :
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
crypto map OUTSIDE_map 20 match address azure-vpn-acl
Our problem was the following: In the Azure local networks we had 10.50.0.0/24 while 10.50.0.250/32 in the ASA acl cypto map and it produced disconnections every one minute affecting the traffic and bandwidth.
Local networks in Azure have to be exactly the same as in the crypto map ACL of the ASA 8.3 device
Like these lines :
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
crypto map OUTSIDE_map 20 match address azure-vpn-acl
Our problem was the following: In the Azure local networks we had 10.50.0.0/24 while 10.50.0.250/32 in the ASA acl cypto map and it produced disconnections every one minute affecting the traffic and bandwidth.
So be careful at this configuration point.
No comments:
Post a Comment