KB ID 0001219
Problem
It’s been a week for strange VPN shenanigans with Cisco and Azure. I was liaising with an Azure service provider for a customer this week, and trying to get a VPN up from a Cisco ASA in one of our data centres in the UK. This is what we were seeing;
And I could see the same error in the debugs;
Decrypted packet:Data: 616 bytes
IKEv2-PROTO-1: Failed to allocate PSH from platform
IKEv2-PROTO-1:
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=65EAE07164D4916D R_SPI=034FB3DBCA5E9891 (R) MsgID = 00000000 CurState: IDLE Event: EV_DELETE
IKEv2-PROTO-5: Action: Action_Null
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=65EAE07164D4916D R_SPI=034FB3DBCA5E9891 (R) MsgID = 00000000 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=65EAE07164D4916D R_SPI=034FB3DBCA5E9891 (R) MsgID = 00000000 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: SM Trace-> SA: I_SPI=65EAE07164D4916D R_SPI=034FB3DBCA5E9891 (R) MsgID = 00000000 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: Abort exchange
IKEv2-PROTO-2: Deleting SA
Solution
After a conversation with the service provider, it turns out that they are providing a multi tenant solution that utilises many VPNs for multiple clients, because of this they HAVE TO use a security gateway that uses ‘Route Based/Dynamic Routing’.
There are two types of VPNs that you can run out of Azure;
- Static routing VPNs – Static routing VPNs or policy-based VPNs. These encrypt and route traffic through an interface based on a customer defined policy. Static routing VPNs require a static routing VPN gateway. With this type of VPN you CAN NOT have multiple site to site VPNs.
- Dynamic routing VPNs – Dynamic routing or route-based VPNs. These depend on a tunnel interface specifically created for forwarding traffic. Any traffic arriving on the virtual tunnel interface (VTI) will be forwarded through the correct VPN connection.
Why is this a problem?
If you look on the currently supported VPN devices for Azure;
Route-based is not compatible, this is because VPN’s based on VTI’s are NOT supported on the Cisco ASA platform. If you are a Cisco firewall type, this is the same reason you can’t use an ASA for DMVPN, or to terminate a GRE tunnel on.
What can you do?
In my case I’m going to put a Cisco IOS Router (Cisco ISR 1921), beside the Firewall and route all the Azure traffic via that. As you can see from the table above that IS supported.
Related Articles, References, Credits, or External Links
NA
17/03/2018
Hi,
ASA now supports route based VPN but for iKev1 only, you can’t use route based VPN for iKev2.
Thanks
04/04/2018
We managed to get IKEV2 with VTI on an ASA 5506-X connecting to Azure but failing when trying to migrate this over to a ASA5525 on asa982-20-smp-k8.bin. Exactly the same config but it just won’t connect.