IKEv2 VPN Tunnel between Azure and Cisco not coming up

Hi,

I have configured a VPN tunnel between the Azure and Cisco ASA using Ikev2 and the tunnel doesn't seem to come up. I can see that the phase 1 comes us on the ASA but the phase 2 fails saying this:

IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 1
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 2
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 3
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 4
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 5
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 6
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 7
IKEv2-PLAT-2: Crypto Map: No proxy match on map External_map2 seq 8
IKEv2-PROTO-1: (766): Failed to find a matching policy

ciscoasa(config)# IKEv2-PROTO-1: (766): Received Policies:
ESP: Proposal 1:  AES-GCM-256

ESP: Proposal 2:  AES-CBC-256 SHA96

ESP: Proposal 3:  3DES SHA96

ESP: Proposal 4:  AES-CBC-256 SHA256

ESP: Proposal 5:  AES-CBC-128 SHA96

ESP: Proposal 6:  3DES SHA256

IKEv2-PROTO-1: (766): Failed to find a matching policy
IKEv2-PROTO-1: (766): Expected Policies:
IKEv2-PROTO-5: (766): Failed to verify the proposed policies
IKEv2-PROTO-1: (766): Failed to find a matching policy

Now, I have configured the VPN tunnel to be part of External_map2 seq 8 but it is not matching. I am not sure what subnets are being pushed by the Azure platform to Cisco ASA to negotiate the VPN tunnel.

On the ASA, I can see this:

ciscoasa# sho cry isa sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:11, Status:UP-IDLE, IKE count:135, CHILD count:0

Tunnel-id                 Local                Remote     Status         Role
857843849       31.221.X.XX/500    51.141.XX.XX/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/13 sec

This means that the Phase 1 is coming up but the next phase is not negotiating.

For testing, I did 0.0.0.0 0.0.0.0 on the ASA i.e. ANY ANY on the ASA for interesting traffic and the tunnel came up but that "any any" impacted my sites and it made them inaccessible so I had to rollback to the previous one.

I even tried to download the VPN script for this VPN connection from the Azure portal and made changes on the ASA accordingly but that doesn't seem to work.

I am happy to provide any detail that is needed from my end.

Thanks,

Vishnu