Hi all,
Having issue with connecting to site to site. First we configured the site to site on Azure then download the script to plug into our on premise production ASA was unable to connect.
Then we used an non production ASA and plugged into the script and reach out to Microsoft. Microsoft provided the following info.
6487 17:58:03.5247457 11:28:03 PM 10/7/2016 62.5147806 (868) 13.77.80.177
xx.xxx.xx.xxx WFP WFP:IPsec: Negotiation Request Initiated
6496 17:58:03.5499553 11:28:03 PM 10/7/2016 62.5399902 (868) 13.77.80.177
xx.xxx.xx.xxx WFP WFP:IPsec: Send ISAKMP Packet
6501 17:58:03.5500667 11:28:03 PM 10/7/2016 62.5401016 (868) 13.77.80.177
xx.xxx.xx.xxx IKE IKE:version 1.0, Identity protection (Main Mode), Payloads = HDR, SA, VID, Flags = ..., Length = 372 à Initial MM
packet
6663 17:58:04.5449240 11:28:04 PM 10/7/2016 63.5349589 (868) 13.77.80.177
xx.xxx.xx.xxx WFP WFP:IPsec: Send ISAKMP Packet
6667 17:58:04.5449824 11:28:04 PM 10/7/2016 63.5350173 (868) 13.77.80.177
xx.xxx.xx.xxx IKE IKE:version 1.0, Identity protection (Main Mode), Payloads = HDR, SA, VID, Flags = ..., Length = 372 à Re-transmission
of the Initial MM Packet
6766 17:58:05.5510583 11:28:05 PM 10/7/2016 64.5410932 (868) 13.77.80.177
xx.xxx.xx.xxx WFP WFP:IPsec: Send ISAKMP Packet
6770 17:58:05.5511130 11:28:05 PM 10/7/2016 64.5411479 (868) 13.77.80.177
xx.xxx.xx.xxx IKE IKE:version 1.0, Identity protection (Main Mode), Payloads = HDR, SA, VID, Flags = ..., Length = 372 à Re-transmission
of the Initial MM Packet
6891 17:58:08.5550864 11:28:08 PM 10/7/2016 67.5451213 (868) 13.77.80.177
xx.xxx.xx.xxx WFP WFP:IPsec: Send ISAKMP Packet
6895 17:58:08.5551539 11:28:08 PM 10/7/2016 67.5451888 (868) 13.77.80.177
xx.xxx.xx.xxx IKE IKE:version 1.0, Identity protection (Main Mode), Payloads = HDR, SA, VID, Flags = ..., Length = 372 à Re-transmission
of the Initial MM Packet
11575 17:59:00.6174956 11:29:00 PM 10/7/2016 119.6075305 (868) 13.77.80.177
xx.xxx.xx.xxx WFP WFP:IPsec: Main Mode Failure - Error: ERROR_SUCCESS
11577 17:59:00.6286090 11:29:00 PM 10/7/2016 119.6186439 (868) 13.77.80.177
xx.xxx.xx.xxx WFP WFP:IPsec: Main Mode SA Terminated à The Main Mode negotiation is
So after many tests I decided to forgo ASA all togeather and set up an trial windows 2012 server. I received this error from Microsoft support tech.
| Time | Level | Category | VIP | MMSA | QMSA | iCookie | rCookie | outboundSPI | inboundSPI | Comments | Details | |
| 10/14/16-23:49:22.875881 | INFO | ikeext | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | On-prem is the MM initiator. | IKE diagnostic event:, Failure type: IKE/Authip Main Mode Failure, Failure error code:0x00003601, No policy configured, , Failure point: Local, Keying module type: IKEv2, MM State: Initial state, no packets sent, MM SA role: Responder, MM auth method: Unknown, 0000000000000000000000000000000000000000, MM ID: 0x0000000000000f91 | ||
| 10/14/16-23:49:22.876139 | ERROR | ikeext | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | Check on-prem encryption domain against the Azure Local Networks. They must match exactly for Static. | Cleaning up mmSa: 0000008DC4D97730. Error 13825(ERROR_IPSEC_IKE_NO_POLICY) | ||
| 10/14/16-23:49:22.875881 | INFO | ikeext | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | On-prem is the MM initiator. | IKE diagnostic event:, Failure type: IKE/Authip Main Mode Failure, Failure error code:0x00003601, No policy configured, , Failure point: Local, Keying module type: IKEv2, MM State: Initial state, no packets sent, MM SA role: Responder, MM auth method: Unknown, 0000000000000000000000000000000000000000, MM ID: 0x0000000000000f91 | ||
| 10/14/16-23:49:22.876139 | ERROR | ikeext | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | Check on-prem encryption domain against the Azure Local Networks. They must match exactly for Static. | Cleaning up mmSa: 0000008DC4D97730. Error 13825(ERROR_IPSEC_IKE_NO_POLICY) | ||
| 10/14/16-23:49:22.876140 | ikeext | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | Inactivating MM: 0000008DC4D97730 | ||||
| 10/14/16-23:49:22.876141 | ikeext | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | Moving mmSa 0000008DC4D97730 to zombie list | ||||
| 10/14/16-23:49:22.876144 | ERROR | user | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | Check on-prem encryption domain against the Azure Local Networks. They must match exactly for Static. | IkeProcessPacketNoSa failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY) | ||
| 10/14/16-23:49:22.876147 | ikeext | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | Deleting MM from lists: 0000008DC4D97FD0 | ||||
| 10/14/16-23:49:22.876152 | ikeext | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | Completing Acquire for ipsec context 7837 | ||||
| 10/14/16-23:49:22.876340 | ikeext | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | IPsecKeyModuleUpdateAcquire0 failed. Context 7837, error WINERROR=80320008 | ||||
| 10/14/16-23:49:22.876342 | ikeext | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | IkeFreeAcquireContext: Freeing acquire 0000008DC4D928D0 | ||||
| 10/14/16-23:49:22.876388 | ikeext | xx.xx.xx.xxx | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | Deleting MM from lists: 0000008DC4D97730 | ||||
| 10/14/16-23:49:22.876393 | ERROR | user | N/A | N/A | f65c9d98c6b09dfb | 0 | N/A | N/A | Check on-prem encryption domain against the Azure Local Networks. They must match exactly for Static. | IkeProcessPacketDispatch failed with HRESULT 0x80073601(ERROR_IPSEC_IKE_NO_POLICY) | ||
Any advice appreciated.
Noah