locked
Azure VPN tunnel Problem - one way communication RRS feed

  • Question

  • We have an issue with the VPN tunnel between Azure and customer premise.  The VPN connection says established on both sides but "Data In" bytes are not incrementing on the Azure Virtual Nework Status page. We have check the customer premise side (Cisco ASA) and packets are between encrypted and decrypted with no packet drops.  The routing has been verified as well.

    We have 4 subcriptions to Azure and each one has a VPN tunnel back to the same internal network and VPN gateway.

    Any help would be appreaciated.

    Thanks,

    Wednesday, November 14, 2012 6:47 PM

Answers

  • Hello,

    Thank you for posting your question here.

    Which Cisco device do you have?

    What is the behavior of the other 3 Virtual Networks?

    In my experience, when the "Data in" bytes do not increment it is usually a routing problem on the device. For example, if you have NAT enabled and do not add an exclusion for the Azure Virtual Networks, you might see the behavior you described.

    Regards,

    -Steve

    Wednesday, November 14, 2012 10:26 PM

All replies

  • Hello,

    Thank you for posting your question here.

    Which Cisco device do you have?

    What is the behavior of the other 3 Virtual Networks?

    In my experience, when the "Data in" bytes do not increment it is usually a routing problem on the device. For example, if you have NAT enabled and do not add an exclusion for the Azure Virtual Networks, you might see the behavior you described.

    Regards,

    -Steve

    Wednesday, November 14, 2012 10:26 PM
  • We are running Cicso ASA 5540 8.3.2 code.

    The ASA serves as the termination point for the VPN tunnel to Azure as well as remote VPN clients.

    THe other Virtual networks behave the same way.  The VPN tunnel is fully formed, but there is still no Data-IN showing on the Azure side.

    The routes have been verified and the packet tracer shows fully allow on the ADSM.

    We do not use NAT but have added the exemption rules to the ASA anyway.  Still no change.

    Is the protocol/Encryption section on the ADSM montioring tab suppose to say "IKE IPSEC AES 128"?  Our support rep mention it should say "IPSEC Nat-Transveral AES 128" instead"?

    Tuesday, November 27, 2012 4:27 PM