Friday 2 July 2021

Azure to Cisco Firepower FTD S2S VPN issues

The issue

Azure’s IKEv1 VPN is “policy based” by default (crypto map)

Azure’s IKEv2 VPN is “route based” by default (VTI / tunnel interface / routes)

Cisco FTD side IKEv2 VPN is “policy based” (crypto map)


My FTD was running version 6.6.1 which doesn’t support the VTI interfaces needed for route based VPN. VTI support is added in version 6.7 but that version also requires 32GB of RAM and it also deletes old DH groups liks DH group 2. All 3rd parties would need to be contacted. All S2S VPN’s with 3rd parties would need to be updated. That is a significant amount of work that would need to be co-ordinated and would need sign off and OOH work etc.


Why it works sometimes

When Azure side is trying to initiate the traffic. It’s trying to use IKEv2 route based which won’t work. However when the lifetime is reached and the VPN re-keys if the Cisco side initiates the traffic with IKEv2 policy based the azure side will accept that connection. That is why it works sometimes and does not work other times. It just depends on which side tries to bring the VPN up first after it has gone down from lifetime expiry.


Some possible fixes:

1 – Change the VPN to the old IKEv1 policy based VPN. This should work but might have implications for security audits etc. 


2 – Change azure side to be policy based, and responder only. Cisco TAC said there is a checkbox to make the VPN policy based and responder only. Azure side will need to go into powershell and manually add traffic selectors

The TAC engineer said a support ticket with Azure may be required to set this up. 

Cisco side will need to setup a script to constantly ping something on the Azure side. This will keep the Cisco side initiating the VPN.


3 – Upgrade Firepower to 6.7. May need RAM upgrade. Will need to contact all 3rd parties which have a site to side and co-ordinate updating all the VPN settings.


Possible quick fix/work around:

Setup the ping –t from the Cisco side to the azure side

Clear down the VPNs (affects all S2S VPN’s)

Do this a few times until we can bring the VPN between Azure <-> DLR backup with DLR side as initiator


Daniel can you give me a host to ping on the Azure side (10.5.0.0 255.255.255.0), I don’t think it even needs to respond but just something I can use to generate traffic to match the VPN.

Posted by at
Labels: , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)