Skip to main content

Azure to Cisco ASA VPN: Route Based Site-to-Site VPN: Minimum Version Recommended

By July 31, 2019September 23rd, 2020Azure, Blog, Cisco, Microsoft, Networking

So I was trying to build a Route Based VPN from a Cisco ASA 5506x current code 9.4. I was following the Microsoft article here.

I got everything set up just like it mentioned, but I could not get the VPN to connect. I was constantly seeing it try, fail on phase 1. We tried on and off for a couple days trying to get this VPN up and stable. Eventually I went to other implementations blogs.

Richard J Green: Azure Route-Based VPN to Cisco ASA 5505 Cisco ASA Route-Based Site-to-Site VPN to Azure

PeteNetLive: Microsoft Azure To Cisco ASA Site to Site VPN

What I found is a difference in the base ASA software requirements.

  • Microsoft Article: Said 9.2 or above
  • RichardjGreen: Said 8.4 or above
  • it: Said 9.8.2 (tested)
  • PeteNetLive: Said the requirement is 9.7(1)

So, after not being able to even get the VPN to connect at the lower versions, we upgraded the firewall from 9.4 to 9.8.3-18. As soon as I got back on the firewall after the upgrade, the tunnel was up and connected. No other configuration changes were necessary.

Essentially, if you are having issues with a Route-Based VPN to Azure from a Cisco ASA, save yourself a bunch of problems and upgrade to at least 9.8.

Now the base configuration that I used on the firewall (IPs, PSKs have been changed to protect the guilty):

access-list CUST-2-AZURE extended permit ip
route outside 1
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto map outside_map 200 match address CUST-2-AZURE
crypto map outside_map 200 set pfs group24
crypto map outside_map 200 set peer
crypto map outside_map 200 set ikev2 ipsec-proposal AES-256
crypto map outside_map 200 set ikev2 pre-shared-key SomeReallyLongKeyOrPasswordVerySecure
crypto map outside_map 200 set security-association lifetime seconds 7200
crypto map outside_map 200 set nat-t-disable
crypto map outside_map interface outside
crypto ikev2 enable outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
group-policy internal
group-policy attributes
vpn-tunnel-protocol ikev2
tunnel-group type ipsec-l2l
tunnel-group general-attributes
tunnel-group ipsec-attributes
ikev2 remote-authentication pre-shared-key SomeReallyLongKeyOrPasswordVerySecure
ikev2 local-authentication pre-shared-key SomeReallyLongKeyOrPasswordVerySecure

This is the configuration that has worked for a couple route-based tunnels to Azure. Your millage may vary.

Jason Howe, Senior Networking Engineer

Leave a Reply