Wednesday, July 23, 2014

VPN from CISCO ASA 5530 8.3(2) to Azure resets every 1 minute

We are working in a hybrid cloud solution, the first step is setting up the communications between our on premise servers and Azure.

We have at least one dozen of different network ranges in on premise network behind the ASA. 
We started the communication between on premise and Azure with one full /24 network and it worked fine, no problems at this point. So we added an extra HOST of different network and the problems began, we saw these messages in the ASA device log:

7|Jul 22 2014|14:41:21|713906|||||Ignoring msg to mark SA with dsID 255590400 dead because SA deleted 4|Jul 22 2014|14:41:21|113019|||||Group = AZ.UR.E.IP, Username = AZ.UR.E.IP, IP = AZ.UR.E.IP, Session disconnected. Session Type: IPsec, Duration: 0h:00m:58s, Bytes xmt: 4438, Bytes rcv: 7604, Reason: User Requested 5|Jul 22 2014|14:41:21|713259|||||Group = AZ.UR.E.IP, IP = AZ.UR.E.IP, Session is being torn down. Reason: User Requested

As always everything looked fine, no problems in the config in our ASA configuration, after a few hours of testing, we noticed that it is mandatory to have the same networks in both extremes of VPN.

Local networks in Azure have to be exactly the same as in the crypto map ACL of the ASA 8.3 device
Like these lines :
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
crypto map OUTSIDE_map 20 match address azure-vpn-acl

Our problem was the following: In the Azure local networks we had while in the ASA acl cypto map and it produced disconnections every one minute affecting the traffic and bandwidth.

So be careful at this configuration point.

No comments:

Post a Comment