I am attempting to set up a Site to Site VPN between an Azure Virtual Network and a local network with a Cisco ASA 5520 running iOS 8.4. The Azure Virtual Network has a static routing gateway setup. We were successfully able to complete the IKE Phase 1 negotiation,
but it is failing during Phase 2.
I believe Phase 2 is failing because the network config on the Azure VPN Gateway does not match the network configuration on the ASA. The logs on the ASA say:
Deleting static route for L2L peer that came in on a dynamic map. address 192.168.0.0 255.255.255.0
Removing peer from correlator table failed, no match!
The configuration on the ASA restricts the tunnel traffic to two single IP's on the remote side. The config looks like:
object-group network azure-networks
network-object 192.168.0.4 255.255.255.255
network-object 192.168.0.9 255.255.255.255
But the provided ASA template script that can be downloaded through the Azure management portal specifies the network as:
object-group network azure-networks
network-object 192.168.0.0 255.255.255.0
Which represents the whole address space of the Azure Virtual Network. Unfortunately, its not feasible to change the config on the ASA to what the template recommends since its a policy mandated by the security group, and to make it more difficult, it is owned
by another organization so I don't have direct access to logs on the ASA.
So for my question, is it possible to adjust the Azure VPN Gateway config to match the config of the ASA? I am not able to find these settings in the management portal, or in the Azure Network Configuration Schema. Additionally is it possible to view any diagnostics
or logs for the VPN Gateway?
Thanks in advance for any help.
