- The VPN tunnel can be established successfully when you create the tunnel from the ASA side but not from the HNV gateway side.
- When you create the VPN tunnel from an on-premises network, the VPN tunnel is established successfully.
- Make sure that the tunnel time-out values on both Cisco and Windows Server gateway are configured so that they don't expire quickly.
- Make sure that Dead Peer Detection is not set to the default value (10 seconds) and that it's set to infinite on Cisco ASA.
- Make sure that some kinds of keep-alive messages always flow on the IKEv2 tunnel (this keeps the tunnel up). You can do this by starting a continuous ping between a virtual machine on the tenant network and an on-premises device.
When the HNV gateway sends the IKE proposals, it uses any as the TS value. When the ASA receives this proposal, it rejects the proposal instead of narrowing the TS value to what is configured in the ASA configuration. Therefore, the tunnel is not established. When the tunnel is created from the ASA side, the HNV gateway accepts the any TS value and correctly narrows the range that's proposed by the ASA.
For more information, see the VPN Interoperability guide for Windows Server 2012 R2.
Article ID: 3056701 - Last Review: 08 May 2015 - Revision: 1