I am attempting to set up a Site to Site VPN between an Azure Virtual Network and a local network with a Cisco ASA 5500 Series. The Azure Virtual Network has a static routing gateway setup. We were successfully able to complete the IKE Phase 1 negotiation,
but it is failing during Phase 2.
I believe Phase 2 is failing because the network config on the Azure VPN Gateway does not match the network configuration on the ASA. The logs on the ASA say:
> Deleting static route for L2L peer that came in on a dynamic map.
> address **10.2.0.0 255.255.255.192**
> Removing peer from correlator table failed, no match! The configuration on the ASA restricts the tunnel traffic to a single IP
> on the remote side.
The config looks like:
object-group network azure-networks
network-object 10.2.0.4 255.255.255.255
But the provided ASA template script that can be downloaded through the Azure management portal specifies the network as:
object-group network azure-networks
network-object 10.2.0.0 255.255.255.192
Which represents the whole address space of the Azure Virtual Network. Unfortunately, its not feasible to change the config on the ASA to what the template recommends since its owned by another organization so I don't have direct access to the ASA config.
my question is if its possible to adjust the Azure VPN Gateway config to match the config of the ASA? I am not able to find these settings in the management portal, or in the Azure Network Configuration Schema.
I already try to find posible issues runnig the diagnostic commands specify in the following page, but the logs report error trying to complete the phase 2 http://blogs.technet.com/b/keithmayer/archive/2014/12/18/diagnose-azure-virtual-network-vpn-connectivity-issues-with-powershell.aspx
I believe Phase 2 is failing because the network config on the Azure VPN Gateway does not match the network configuration on the ASA. The logs on the ASA say:
> Deleting static route for L2L peer that came in on a dynamic map.
> address **10.2.0.0 255.255.255.192**
> Removing peer from correlator table failed, no match! The configuration on the ASA restricts the tunnel traffic to a single IP
> on the remote side.
The config looks like:
object-group network azure-networks
network-object 10.2.0.4 255.255.255.255
But the provided ASA template script that can be downloaded through the Azure management portal specifies the network as:
object-group network azure-networks
network-object 10.2.0.0 255.255.255.192
Which represents the whole address space of the Azure Virtual Network. Unfortunately, its not feasible to change the config on the ASA to what the template recommends since its owned by another organization so I don't have direct access to the ASA config.
my question is if its possible to adjust the Azure VPN Gateway config to match the config of the ASA? I am not able to find these settings in the management portal, or in the Azure Network Configuration Schema.
I already try to find posible issues runnig the diagnostic commands specify in the following page, but the logs report error trying to complete the phase 2 http://blogs.technet.com/b/keithmayer/archive/2014/12/18/diagnose-azure-virtual-network-vpn-connectivity-issues-with-powershell.aspx