Active-Active VPN Gateway Azure to a single on-prem ASAv using VTI

Tommy Alex 1

We are trying to use Active-Active VPN Gateway on Azure to connect to a Cisco ASAv (single) . The problem is that the ASA uses a different BGP ip for each tunnel interface. But the Azure configuration only has an option to set a single BGP peer in the local network gateway setting. What are options to make this work using active /active to a single box with two bgp peer ips or other options ?

1 answer

GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-02-22T15:26:10.66+00:00

Hello @Tommy Alex ,

As per Cisco ASA 9.8+ VTI documentation, currently, VTI is only supported in single-context, routed mode.

You can also find this information in Cisco ASA VTI doc :
Context Mode
Supported in single mode only.

So, it looks like this is not supported. However, I will check with Azure VPN PG to see if there are any workarounds to bypass this constraint.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-02-22T17:52:24.99+00:00

Hello @Tommy Alex ,

Is it possible to have multiple source public IP addresses on your Cisco device?

Regards,
Gita

GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-02-25T14:33:41.2+00:00

Hello @Tommy Alex ,

Could you please provide an update on this post?

Is it possible to have multiple source public IP addresses on your Cisco device?

Regards,
Gita

GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-03-01T15:38:03.427+00:00

Hello @Tommy Alex ,

Any updates on this post?

Thanks,
Gita

Tommy Alex 1 Reputation point

2021-03-05T05:28:18.147+00:00

hi not its not possible to have multilpe public ip unless you create a second interface.
Can you please check other options ?

Tommy Alex 1 Reputation point

2021-03-11T03:21:07.697+00:00

Any update on this ?

GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-03-11T07:55:22.537+00:00

Hello @Tommy Alex ,

Apologies for the delay in my response. I reached out to our VPN PG and they discussed this scenario with the Cisco team. Below is the update from Cisco side:

Yes there is a limitation with the ASA.

The ASA doesn’t allow sourcing BGP connections from a loopback (ASA’s don’t have one) nor from an interface that is not the egress interface. As a result the ASA would source the BGP connection from Tunnel1 and Tunnel2.

In my document I did call out that (https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/214109-configure-asa-ipsec-vti-connection-to-az.html) active-active wouldn’t work because it appears that the Azure is expecting the BGP connection to be sourced from the same IP address on the ASA over both tunnels.

So unfortunately, there are no other workarounds available to achieve this scenario.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,
Gita

Tommy Alex 1 Reputation point

2021-03-13T03:28:42.657+00:00

Hi I know the ASA limitation.. i was hoping for other options on Azure side like building another gateway and having VNET to VNET peering etc.. what other options exist on Azure side to connect to a single ASA ?

Tommy Alex 1 Reputation point

2021-03-17T02:02:52.25+00:00

hi
whatever you provided is what I already know :)
What i was asking is are there any alternative ways of doing on the Azure - thats why i am asking about Azure as I know how the ASA works inside/out.
Can we have do gateways and do VNET peering etc to make this work ?
Please check on alternative options on Azure side with a single ASA on prem

Tommy Alex 1 Reputation point

2021-03-25T04:21:28.087+00:00

Any update on this ?

GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-03-25T07:34:42.557+00:00

Hello @Tommy Alex ,

Apologies for the delay in my response.

I checked with the PG contact who works with Cisco team closely and have already performed various labs to check if we can get Cisco ASA working with Azure active-active gateway but every time, only 1 BGP session from ASA would be UP/Connected and the other would be idle (they always keep flapping between ‘Active’ and ‘Idle’), which doesn't help in achieving the HA scenario. So, unfortunately, there is no workaround available at the moment to get this setup working.

Thanks,
Gita

Tommy Alex 1 Reputation point

2021-03-28T20:03:12.627+00:00

did you ask about using two separate gateways on the Azure ? hope you can research more.. i thinks thats viable... and then if you use VNET peering..

GitaraniSharma-MSFT 47,686 Reputation points Microsoft Employee

2021-04-01T06:07:32.127+00:00

Hello @Tommy Alex ,

I have already asked about workarounds and there aren't any on Azure side. Using 2 separate local network gateways on the Azure won't work as we are trying to connect a single onprem ASA device to Azure VPN gateway that’s configured with a Active/Active Mode (meaning both instance0 and instance1 being active). Every Azure VPN gateway consists of two instances in an active-standby configuration. Please refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

“VNet peering” will have no effect on this scenario as VNet peering only allows one of the peered VNets to hold a VNG, whether it’s Active/Passive or Active/Active. A virtual network can have only one gateway - either a local or remote gateway in the peered virtual network and this is the limitation on Azure side. Please refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity

Thanks,
Gita
Sign in to comment