Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Can't establish site-to-site VPN between HNV Gateway and Cisco ASA in Windows Server 2012 R2


View products that this article applies to.

Symptoms

You want to set up a site-to-site VPN from a Hyper-V Network Virtualization Gateway (HNV GW) in Windows Server 2012 R2, running Routing and Remote Access Service (RRAS) to a Cisco ASA firewall. However, when you try to create the VPN tunnel from a tenant network, the tunnel cannot be established.

Notes
  • The VPN tunnel can be established successfully when you create the tunnel from the ASA side but not from the HNV gateway side.
  • When you create the VPN tunnel from an on-premises network, the VPN tunnel is established successfully.

↑ Back to the top


Cause

The implementation of Internet Key Exchange (IKEv2) on the Cisco ASA does not accept the any Traffic Selector (TS) value. Instead, it rejects the value and generates a policy mismatch error that blocks creation of the tunnel.  

↑ Back to the top


Workaround

To work around this issue, make sure that the tunnel is always established from the ASA side. You must make sure that the tunnel always remains up by using one of the following methods:
  • Make sure that the tunnel time-out values on both Cisco and Windows Server gateway are configured so that they don't expire quickly.
  • Make sure that Dead Peer Detection is not set to the default value (10 seconds) and that it's set to infinite on Cisco ASA.
  • Make sure that some kinds of keep-alive messages always flow on the IKEv2 tunnel (this keeps the tunnel up). You can do this by starting a continuous ping between a virtual machine on the tenant network and an on-premises device. 

↑ Back to the top


More Information

The RRAS implementation in Windows Server 2012 R2 is a route-based VPN that does not support policy-based VPNs. The Cisco ASA firewall does not support route-based VPNs.  

When the HNV gateway sends the IKE proposals, it uses any as the TS value. When the ASA receives this proposal, it rejects the proposal instead of narrowing the TS value to what is configured in the ASA configuration. Therefore, the tunnel is not established. When the tunnel is created from the ASA side, the HNV gateway accepts the any TS value and correctly narrows the range that's proposed by the ASA. 

For more information, see the VPN Interoperability guide for Windows Server 2012 R2.

↑ Back to the top


Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

↑ Back to the top


Keywords: kbtshoot, kbexpertiseadvanced, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 3056701
Revision : 1
Created on : 1/7/2017
Published on : 5/8/2015
Exists online : False
Views : 414