Azure VNET to OnPrem VPN with Dynamic Routing

We have been running a VPN from an Asa 5510 running ASA8.2 successfully, between our on-prem network and a VNET in Azure. I now wanted to setup a VNET1 to VNET 2VPN scenario, as well as on-prem to VNET1 and VNET2 (like a big VPN mesh). I built this via the XML config, uploaded it to Azure and got the VNET to VNET working by changing the preshared key. I’m now having difficulty getting the VNET to Onprem VPN’s up and running. I have configured our ASA and run some debugging and are getting these errors:

Jun 18 14:53:48 [IKEv1]: IP = 23.100.xx.xx, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Jun 18 14:53:48 [IKEv1]: IP = 23.100.xx.xx, Information Exchange processing failed

It looks like a Phase1/Isakmp issue however the config our end is all still the same (ie the same as when I had it working fine on-prem to one VNET). I don’t know why changing the config on the Azure end has broken this but I am a bit stumped. One pertinent change during this is changing from Static routing to dynamic routing – it needs to be dynamic for this scenario to work though.

Technically only ASA 8.3 is supported however it was working fine before, so I don’t think this is the issue.

My question is this, what does changing the routing from dynamic to static actually do as far as third party VPN devices are concerned? Is there a requirement to then change the ISAKMP properties?

–Update– Turns out Dynamic routing uses IkeV2 which is supported from ASA 8.4 onwards. Even though this is the case, Azure lists the ASA (even on the newest code) as an unsupported device. ASR’s are supported however.

2 comments

  1. Hi, I was wondering if you would share your settings. I have ASA 5500 ver 8.4. I can’t seem to get dynamic routing working for azure. any tips?

    1. Hi John, We actually ended up with some ASR’s so I didnt ever need to pursue dynamic routing on an ASA. The config they generate through the GUI works a treat on the ASR platform. Sorry I can’t be any more useful!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.