locked
VPN tunnel to Azure keeps disconnecting RRS feed

  • Question

  • We are connected to Azure using a Cisco ASA 5550 running 8.2(5)

    I followed the setup docs accordingly and the tunnel is continuing to drop.  Seems like it drops within 1-2 minutes.

    Looking at log messages I get the following messages:
    Group = 168.61.36.82, IP = 168.61.36.82, All IPSec SA proposals found unacceptable!

    I am using the trasform set that was listed in the setup doc and have also tried different transform sets to see if I could find a mating one.

    I also working with Cisco to see if their was anything else from a setup side I was missing.

    Can I get help trying to find out what is causing our VPN tunnel to keep dropping?

    Friday, January 25, 2013 7:20 PM

Answers

  •  

    Hello,

     

    Thank you for posting your question here.

     

    Please note that that device is not on the list of known compatible devices. Even the models with the most similar model number have a later version of firmware (8.3) than yours.

    Many of our customers have had success with models not on the list by configuring capable devices according to the parameters of the connection:

     • VPN device must have a public facing IPv4 address

     • VPN device must support IKEv1

      ○ Diffie-Hellman in "Group 2" mode  in Phase 1

      ○ Perfect Forward Secrecy = Disabled in Phase 2

     • VPN device must be able to establish IPsec Security Associations in Tunnel mode

     • VPN device must be configurable for an MSS of 1350 for the tunnel

     • VPN device (and upstream firewall) must support/allow ESP

     • VPN device must support these encryption protocols:

      ○ AES 128-bit encryption function

      ○ SHA-1 hashing function

     • VPN device must fragment packets before encapsulating with the VPN headers

     • VPN device must support a 50 character pre-shared key. While a shorter or longer key can be programmatically created, this functionality is not currently exposed in the Windows Azure Portal.

     • For IKE phase 1 negotiation, set validity to 28800 seconds.

     • For IKE phase 2 negotiation, set SA lifetime to 3600 seconds or 102400000 kb

    Regards,

    -Steve

    Friday, January 25, 2013 10:25 PM