website statistics
Site to site connectivity with Windows Azure (GA) - Yuri Diogenes's Blog - Site Home - TechNet Blogs

Yuri Diogenes's Blog

Thoughts from a Senior Content Developer @ Microsoft Data Center, Devices & Enterprise Client – CSI (Enterprise Mobility Team)

Site to site connectivity with Windows Azure (GA)

Site to site connectivity with Windows Azure (GA)

  • Comments 4
  • Likes

Almost a month ago I wrote this post about an attempt to establish a site to site connection between TMG and Windows Azure and the conclusion was: you need a valid IP on your edge device in order to do that. Done, got my valid IP and now I’m ready to rock! It should be straight forward now that I have all the steps in mind and know how it works, but it was not. Using the same lab environment (but now with TMG having a valid IP address I faced a different issue. The tunnel between Azure and TMG connected for a couple of seconds (from the Azure Portal perspective) and then it drops. Constant pattern, so it was not only a transient situation. Using TMG DataPackager with VPN template I gathered the data that I needed to understand what it was going on. When I started to review the IKE Logging this is what I got:

[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with Windows error 13824(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0638::00/00/0000-00:00:00.000 [user] |Azure_IP|IkeVerifyPacketHeader failed with HRESULT 0x80073600(ERROR_IPSEC_IKE_INVALID_HEADER)
[0]00FC.0480::00/00/0000-00:00:00.000 [ikeext]                0|NULL|IkeRegConfigChangeNotifyCallback invoked
[0]00FC.0480::00/00/0000-00:00:00.000 [ikeext]                0|NULL|Stopping IKE tracing

Invalid header could be something related with the IKE itself, unfortunately researching for this error didn’t help me too much:

image

Next step: understanding what’s going on on the wire! Start reviewing netmon trace for this traffic and found this:

image

Oh well, that explains everything……TMG doesn’t work with IKEV2, hence it fails to negotiate. But wait a minute, how that this used to work in the past? Because prior to GA Windows Azure was using IKEV1. When you are using Windows Azure Gateway you can configure it to use Static Routing or Dynamic Routing (see more info about these definitions here), if you use Dynamic Routing then Azure Gateway for Site to Site will use IKEV2. This document is getting updated to reflect this change that was introduced in GA.

Just to remind you: TMG is not supported for site to site connectivity on Azure and now that Dynamic Routing require IKEV2, TMG is not an option even for testing purpose.

Comments
  • Nice to see your TMG knowledge back here and as usual this article is totally self-explanatory with the opportunity of learning some troubleshooting framework stuff :)

  • Thanks Daniel...troubleshooting is in my blood, always that I have a chance I enjoy doing it. Sadly the days playing with TMG are coming to an end :(

  • yuri whats the plans after TMG ? will everything move to Directaccess thruogh 2012 server ?

  • The only official answer is what is documented at blogs.technet.com/.../important-changes-to-forefront-product-roadmaps.aspx

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment