Hi,
Please help as I am setting up the VPN gateway for my azure and was not able to connect to onPremise Network.
The connection is establish when i ping/initiate from my OnPremise network to Azure Network but not in the other side.
It's seems that the third packet was not send by AZURE. I don't understand.
Return from Cisco :
When the traffic is initiated from the remote side;
remote side send the first packet, ASA receives it, processes it and send the second packet and waiting for the third packet from the remote side;
EV_RESEND_MSG-->QM_WAIT_MSG3, EV_TIMEOUT-->QM_WAIT_MSG3
it do work well in both the directions
but in this case
when tunnel initiated from ASA side, it works good;
when I cehcked the previous logs, it showed that the phase 1 got complete
Aug 27 09:49:19 [IKEv1 DEBUG]: Group = 23.101.71.236, IP = 23.101.71.236, processing hash payload
Aug 27 09:49:19 [IKEv1 DEBUG]: Group = 23.101.71.236, IP = 23.101.71.236, processing SA payload
Aug 27 09:49:19 [IKEv1 DEBUG]: Group = 23.101.71.236, IP = 23.101.71.236, processing nonce payload
Aug 27 09:49:19 [IKEv1 DEBUG]: Group = 23.101.71.236, IP = 23.101.71.236, processing ID payload
Aug 27 09:49:19 [IKEv1 DECODE]: Group = 23.101.71.236, IP = 23.101.71.236, ID_IPV4_ADDR_SUBNET ID received--10.40.0.0--255.255.255.0
Aug 27 09:49:19 [IKEv1]: Group = 23.101.71.236, IP = 23.101.71.236, Received remote IP Proxy Subnet data in ID Payload: Address 10.40.0.0, Mask 255.255.255.0, Protocol 0, Port 0
Aug 27 09:49:19 [IKEv1 DEBUG]: Group = 23.101.71.236, IP = 23.101.71.236, processing ID payload
Aug 27 09:49:19 [IKEv1 DECODE]: Group = 23.101.71.236, IP = 23.101.71.236, ID_IPV4_ADDR_SUBNET ID received--130.0.0.0--255.255.0.0
Aug 27 09:49:19 [IKEv1]: Group = 23.101.71.236, IP = 23.101.71.236, Received local IP Proxy Subnet data in ID Payload: Address 130.0.0.0, Mask 255.255.0.0, Protocol 0, Port 0
Aug 27 09:49:19 [IKEv1]: IP = 23.101.71.236, Rejecting new IPSec SA negotiation for peer 23.101.71.236. A negotiation was already in progress for local Proxy 130.0.0.0/255.255.0.0, remote Proxy 10.40.0.0/255.255.255.0
Aug 27 09:49:19 [IKEv1]: Group = 23.101.71.236, IP = 23.101.71.236, QM FSM error (P2 struct &0x725ae4d0, mess id 0x3)!
Aug 27 09:49:19 [IKEv1 DEBUG]: Group = 23.101.71.236, IP = 23.101.71.236, IKE QM Responder FSM error history (struct &0x725ae4d0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG
Aug 27 09:49:19 [IKEv1 DEBUG]: Group = 23.101.71.236, IP = 23.101.71.236, sending delete/delete with reason message
Aug 27 09:49:19 [IKEv1]: Group = 23.101.71.236, IP = 23.101.71.236, Removing peer from correlator table failed, no match!
Aug 27 09:49:20 [IKEv1 DECODE]: IP = 23.101.71.236, IKE Responder starting QM: msg id = 00000003
Aug 27 09:49:20 [IKEv1]: IP = 23.101.71.236, IKE_DECODE RECEIVED Message (msgid=3) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 368
Logs are taken with Azure Gateway diagnostics :
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|QM-LIFETIME-TYPE: 1[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|QM-LIFETIME-SEC: 3600
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|QM-LIFETIME-TYPE: 2
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|QM-LIFETIME-KB: 102400000
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|QM-ENCAP-MODE: TUNNEL (1)
Unknown( 38): GUID=08bde363-89a7-96f6-73de-58dd49d49245 (No Format Information found).
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|QM-KEY-LENGTH: 256
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|Adjusting QM cipher type to AES-256
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|Comparing QM local policy proposal 0 with received proposal 1 transform 1
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|Attribute mismatch: QM-INTEGRITY-TYPE, expected: HMAC-SHA-256-128, received: HMAC-SHA1-96
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|Comparing QM local policy proposal 1 with received proposal 1 transform 1
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|Accepted QM proposal. Local policy proposal: 1, Received proposal: 1 transform: 1
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|Process Payload NONCE, SA 0000007C67857810 QM 0000007C67856D50
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|Process Payload NOTIFY, SA 0000007C67857810 QM 0000007C67856D50
[0]02FC.0B78::08/27/2015-11:22:01.661 [ikeext] 420|84.55.161.153|Processing LIFETIME change QM Notify
[0]02FC.0B78::08/27/2015-11:22:01.661 [user] |84.55.161.153|IkeProcessLifetimeNotify failed with Windows error 13840(ERROR_IPSEC_IKE_PROCESS_ERR_NOTIFY)
[0]02FC.0B78::08/27/2015-11:22:01.661 [user] |84.55.161.153|IkeProcessLifetimeNotify failed with HRESULT 0x80073610(ERROR_IPSEC_IKE_PROCESS_ERR_NOTIFY)
[0]02FC.0B78::08/27/2015-11:22:01.661 [user] |84.55.161.153|IkePostPayloadProcessQMNotify failed with HRESULT 0x80073610(ERROR_IPSEC_IKE_PROCESS_ERR_NOTIFY
It's a problem with IKEv1 configuration ? tableroot or another ?
Thanks for all !
Regards,
Pierre