How to address dynamic routing issue in Azure with ASA

When we are trying to build the tunnel from Azure to cisco  ASA with dynamic routing (IKEV1 & IKEV2) , tunnel is not coming up later found that ASA does n`t support azure dynamic routing(IKEV2 doesn`t support ASA 8.0)  and looked at couple of options viz express route and installing virtual firewall etc..

Here are supported links..

http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/118743-configure-asa-00.html –> 8.4 and above supports IKE v2

Finally we have come up with different approach to fix this…

Created to two VNET`s,  one VNET used for creating dynamic routing gateway and build the VPN tunnel`s on supported vendors(checkpoint and juniper ) .

Second VNET used to create static gateway and build the tunnel between Azure and enabled communication between VNET`s over public IP~s with restrictions.

One more thing that  Vnet to Vnet  Latency is less than 10ms ( Azure Public IP address traffic will not traverse through internet ) and it looks like LAN

Step-by-step configuration:

http://blog.kloud.com.au/2014/06/10/microsoft-azure-multi-site-vpn/

For troubleshoot we require PowerShell scripting s/w which can be downloaded from below link

http://www.microsoft.com/en-in/download/details.aspx?id=2560

Here is the troubleshooting commands through PowerShell but before that we have to connect to Azure account with couple of commands.

Add-Azureaccount –> pop`s up the user credentials window there you have to  type the azure account details.

Pre share creation
Set-AzureVNetGatewayKey -VNetName -LocalNetworkSiteName “xxxx” -SharedKey Cisco123

Initiating the traffic from VPN tunnel
Set-AzureVNetGateway -Connect –LocalNetworkSiteName “test” –VNetName “customer01”

PS C:\> Get-AzureVnetConnection -VNetName “test”

ConnectivityState : NotConnected
EgressBytesTransferred : 0
IngressBytesTransferred : 0
LastConnectionEstablished : 1/1/1601 5:30:00 AM
LastEventID : 21601
LastEventMessage : Unable to establish the cross-premise tunnel for site ‘MT-NOC-BLR’. Previous state:
Initializing. Current state: Not Connected.
LastEventTimeStamp : 8/23/2015 12:54:53 PM
LocalNetworkSiteName : test
OperationDescription :
OperationId :
OperationStatus :

http://blogs.technet.com/b/keithmayer/archive/2014/12/18/diagnose-azure-virtual-network-vpn-connectivity-issues-with-powershell.aspx

Duracell - sateesh-jpeg

Even we can configure VPN wit Azure PowerShell script:

<VirtualNetworkConfiguration>
<Dns />
<LocalNetworkSites>
<LocalNetworkSite name=”Site-01″>
<AddressSpace>
<AddressPrefix>10.20.3.0/24</AddressPrefix> —> In azure,localnetworks called as remote networks in networking language.
</AddressSpace>
<VPNGatewayAddress>1.1.1.1</VPNGatewayAddress> —> Site01- VPN Peer IP(Public IP add)
</LocalNetworkSite>
<LocalNetworkSite name=”Site-02>
<AddressSpace>
<AddressPrefix>172.20.3.0/24</AddressPrefix> –> Remote Network
</AddressSpace>
<VPNGatewayAddress>2.2.2.2</VPNGatewayAddress> —> Site02- VPN Peer gateway address (Public Address)
</LocalNetworkSite>
</LocalNetworkSites>
<VirtualNetworkSites>
<VirtualNetworkSite name=”VNET-01″ Location=”South Central US”>
<AddressSpace>
<AddressPrefix>10.10.0.0/21</AddressPrefix> —-> Local Supernet for Site01(Azure end)
</AddressSpace>
<Subnets>
<Subnet name=”mgmtsubnet”> —-> Local Subnet(Azure end)
<AddressPrefix>10.10.1.0/24</AddressPrefix>
</Subnet>
<Subnet name=”proddbsubnet”> —-> Local Subnet (Azure End)
<AddressPrefix>10.10.2.0/24</AddressPrefix>
</Subnet>
<Subnet name=”GatewaySubnet”> —-> VNET-01 VPN Gateway
<AddressPrefix>10.10.4.0/29</AddressPrefix>
</Subnet>
</Subnets>
<Gateway>
</VirtualNetworkSite>
<VirtualNetworkSite name=”VENT-02″ Location=”South Central US”>
<AddressSpace>
<AddressPrefix>172.16.0.0/23</AddressPrefix> —> Local Subpernet for site02(Azure End)
</AddressSpace>
<Subnets>
<Subnet name=”Mgmt-VNET02″>
<AddressPrefix>172.16.0.0/26</AddressPrefix>
</Subnet>
<Subnet name=”GatewaySubnet”>
<AddressPrefix>172.16.0.64/29</AddressPrefix>
</Subnet>
</Subnets>
<Gateway>
<ConnectionsToLocalNetwork> —-> Global Configuration
<LocalNetworkSiteRef name=”Site-01″>
<Connection type=”IPsec” />
</LocalNetworkSiteRef>
<LocalNetworkSiteRef name=”Site-02″>
<Connection type=”IPsec” />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
</VirtualNetworkSites>
</VirtualNetworkConfiguration>
</NetworkConfiguration>

Leave a Reply

Your email address will not be published.