question

ThalesClaro-7911 avatar image
0 Votes"
ThalesClaro-7911 asked SaiKishor-MSFT commented

[ Gateway Connection ] Traffic Selectors not working for 2 or more subnets.

Currently we managed to deploy and connect our Route based gateway between azure and Cisco ASA, which works fine for only one of the subnets defined on trafficSelectorPolicies. Which means that currently, we are only able to test connection from resources from of 10.0.1.0/24 local subnet.


 {
     "name": "Connection",
     "id": "*****",
     "etag": "***",
     "type": "Microsoft.Network/connections",
     "location": "northeurope",
     "tags": {},
     "properties": {
         "provisioningState": "Succeeded",
         "resourceGuid": "***",
         "virtualNetworkGateway1": {
             "id": "***"
         },
         "localNetworkGateway2": {
             "id": "***"
         },
         "connectionType": "IPsec",
         "connectionProtocol": "IKEv2",
         "routingWeight": 3,
         "sharedKey": "***",
         "enableBgp": false,
         "useLocalAzureIpAddress": false,
         "usePolicyBasedTrafficSelectors": true,
         "ipsecPolicies": [
             {
                 "saLifeTimeSeconds": 3600,
                 "saDataSizeKilobytes": 102400000,
                 "ipsecEncryption": "AES256",
                 "ipsecIntegrity": "SHA256",
                 "ikeEncryption": "AES256",
                 "ikeIntegrity": "SHA256",
                 "dhGroup": "DHGroup2",
                 "pfsGroup": "PFS2"
             }
         ],
         "trafficSelectorPolicies": [
             {
                 "localAddressRanges": [
                     "10.0.1.0/24",
                     "10.0.2.0/24"
                 ],
                 "remoteAddressRanges": [
                     "30.**.**.0/23"
                 ]
             }
         ],
         "connectionStatus": "Connected",
         "ingressBytesTransferred": 15800,
         "egressBytesTransferred": 25908,
         "dpdTimeoutSeconds": 0,
         "connectionMode": "Default"
     }
 }


Does anyone had a similar issue and cross around a solution for this case?

azure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaiKishor-MSFT avatar image
0 Votes"
SaiKishor-MSFT answered SaiKishor-MSFT commented

@ThalesClaro-7911

Thank you for reaching out to Microsoft Q&A. I understand that you are trying to connect Azure Route Based VPN to Cisco ASA which is using a Policy based VPN and with this setup you are only able to connect to one of the subnets and not the other.

In order to work around this, configure Azure route-based VPN gateways to use prefix-based traffic selectors with option "PolicyBasedTrafficSelectors", to connect to on-premises policy-based VPN devices. This capability allows you to connect from an Azure virtual network and VPN gateway to multiple on-premises policy-based VPN/firewall devices, removing the single connection limit from the current Azure policy-based VPN gateways.84095-2021-04-02-12-48-00-test-microsoft-azure-and-2-mor.png

Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.






· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ThalesClaro-7911 avatar image
0 Votes"
ThalesClaro-7911 answered SaiKishor-MSFT commented

Hi @SaiKishor-MSFT

Thanks for the feedback, currently I do have policy based selectors enabled like you can see on line 23 and selector policies between lines 36 and 46. At the moment, no progress where made.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ThalesClaro-7911 Apologize for not checking the script properly. To troubleshoot this connectivity issue between Azure VPN and Cisco ASAv, I would suggest the below ways:

  1. Use Cisco Packet Tracer command to identify where the traffic for the 10.0.2.0/24 subnet is being dropped.

  2. Use the command "sh crypto ipsec sa peer aa.xx.yy.zz" to check for the inbound and outbound SA's and see if the inbound/outbound SA for the 10.0.2.0/24 traffic is either encrypting/decrypting traffic.

  3. Further, I would also check with Cisco support to investigate this further in case there is any misconfiguration on the Cisco side.


Please provide output of the commands so we can troubleshoot further. Thank you!

0 Votes 0 ·

@ThalesClaro-7911 Any update?

0 Votes 0 ·