question

TommyAlex-4549 avatar image
0 Votes"
TommyAlex-4549 asked GitaraniSharmaMSFT-4262 commented

Active-Active VPN Gateway Azure to a single on-prem ASAv using VTI

We are trying to use Active-Active VPN Gateway on Azure to connect to a Cisco ASAv (single) . The problem is that the ASA uses a different BGP ip for each tunnel interface. But the Azure configuration only has an option to set a single BGP peer in the local network gateway setting. What are options to make this work using active /active to a single box with two bgp peer ips or other options ?

azure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @TommyAlex-4549 ,

As per Cisco ASA 9.8+ VTI documentation, currently, VTI is only supported in single-context, routed mode.
70640-asa-vti-aa.jpg

You can also find this information in Cisco ASA VTI doc :
Context Mode
Supported in single mode only.

So, it looks like this is not supported. However, I will check with Azure VPN PG to see if there are any workarounds to bypass this constraint.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



asa-vti-aa.jpg (37.8 KiB)
· 12
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @TommyAlex-4549 ,

Is it possible to have multiple source public IP addresses on your Cisco device?

Regards,
Gita

0 Votes 0 ·

Hello @TommyAlex-4549 ,

Could you please provide an update on this post?

Is it possible to have multiple source public IP addresses on your Cisco device?

Regards,
Gita

0 Votes 0 ·
TommyAlex-4549 avatar image TommyAlex-4549 GitaraniSharmaMSFT-4262 ·

hi not its not possible to have multilpe public ip unless you create a second interface.
Can you please check other options ?

0 Votes 0 ·

Hello @TommyAlex-4549 ,

Any updates on this post?

Thanks,
Gita

0 Votes 0 ·
TommyAlex-4549 avatar image TommyAlex-4549 GitaraniSharmaMSFT-4262 ·

Any update on this ?

0 Votes 0 ·

Hello @TommyAlex-4549 ,

Apologies for the delay in my response. I reached out to our VPN PG and they discussed this scenario with the Cisco team. Below is the update from Cisco side:

Yes there is a limitation with the ASA.


The ASA doesn’t allow sourcing BGP connections from a loopback (ASA’s don’t have one) nor from an interface that is not the egress interface. As a result the ASA would source the BGP connection from Tunnel1 and Tunnel2.


In my document I did call out that (https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/214109-configure-asa-ipsec-vti-connection-to-az.html) active-active wouldn’t work because it appears that the Azure is expecting the BGP connection to be sourced from the same IP address on the ASA over both tunnels.

So unfortunately, there are no other workarounds available to achieve this scenario.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,
Gita



0 Votes 0 ·
Show more comments