locked
VPN Tunnel for Cisco 1921 ISR RRS feed

  • Question

  • Hello,

    I'm attempting to get up the VPN tunnel between Azure and our office which has a Cisco 1921 ISR (15.1) router.  I'm using the dynamic routing template from the Azure portal.  The VPN is unable to connect.  Here are some messages and commands from the Cisco side:

    Rtr#sh crypto session
    Crypto session current status

    Interface: Tunnel1
    Session status: DOWN
    Peer: 137.116.XX.XXX port 500
      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
            Active SAs: 0, origin: crypto map

    Rtr#sh log

    000026: Jul 23 20:23:27.915 UTC: IPSEC(key_engine): request timer fired: count =
     2,
      (identity) local= 71.91.YY.YY:0, remote= 137.116.XX.XX:0,
        local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
    000027: Jul 23 20:23:35.067 UTC: IPSEC(sa_request): ,
      (key eng. msg.) OUTBOUND local= 71.91.YY.YYY:500, remote= 137.116.XX.XXX:500,

        local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
        lifedur= 3600s and 4608000kb,
        spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
    000028: Jul 23 20:23:35.067 UTC: IKEv2:(1): Sending initial message
    000029: Jul 23 20:23:35.103 UTC: IKEv2:(1): Processing initial message
    000030: Jul 23 20:23:35.103 UTC: IKEv2:(1): Processing initial message
    000031: Jul 23 20:23:35.131 UTC: IKEv2:(1): Sending auth message
    000032: Jul 23 20:23:35.163 UTC: IKEv2:(1): Process auth response notify
    000033: Jul 23 20:23:35.163 UTC: IKEv2:(1):
    000034: Jul 23 20:23:35.163 UTC: IKEv2:(1): Auth exchange failed

    000035: Jul 23 20:23:35.163 UTC: IKEv2:(1): Auth exchange failed
    000036: Jul 23 20:23:35.163 UTC: IKEv2:(1): Deleting SA
    000037: Jul 23 20:24:05.067 UTC: IPSEC(key_engine): request timer fired: count =
     1,
      (identity) local= 71.91.YY.YYY:0, remote= 137.116.XX.XXX:0,
        local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
    000038: Jul 23 20:24:05.067 UTC: IPSEC(sa_request): ,
      (key eng. msg.) OUTBOUND local= 71.91.YY.YYY:500, remote= 137.116.XX.XXX:500,

        local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
        lifedur= 3600s and 4608000kb,
        spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
    000039: Jul 23 20:24:05.067 UTC: IKEv2:(1): Sending initial message
    000040: Jul 23 20:24:05.103 UTC: IKEv2:(1): Processing initial message
    000041: Jul 23 20:24:05.103 UTC: IKEv2:(1): Processing initial message
    000042: Jul 23 20:24:05.131 UTC: IKEv2:(1): Sending auth message
    000043: Jul 23 20:24:05.159 UTC: IKEv2:(1): Process auth response notify
    000044: Jul 23 20:24:05.159 UTC: IKEv2:(1):
    000045: Jul 23 20:24:05.159 UTC: IKEv2:(1): Auth exchange failed

    000046: Jul 23 20:24:05.159 UTC: IKEv2:(1): Auth exchange failed
    000047: Jul 23 20:24:05.159 UTC: IKEv2:(1): Deleting SA

    Any ideas?  


    • Edited by EP0 Tuesday, July 23, 2013 7:33 PM typos
    Tuesday, July 23, 2013 7:32 PM

All replies

  • Hi,

    In this case there was an device upstream of the VPN device that was filtering some traffic (ESP).

    Please make sure that your VPN is on an unfiltered connection or at least allowing all the required traffic (UDP 500, IKE and ESP).


    微软一站式示例脚本库: http://blogs.technet.com/b/onescript

    • Marked as answer by Tom Zhang – MSFT Tuesday, July 30, 2013 8:34 AM
    • Unmarked as answer by EP0 Tuesday, July 30, 2013 1:20 PM
    Friday, July 26, 2013 7:49 AM
  • I have confirmed that no upstream devices are blocking IKE, ESP, GRE, and UDP 500.  Is there something else?

    Also, is there any logging or diagnostics from the Azure end?

    Thanks!

    Tuesday, July 30, 2013 1:22 PM