@Konstanti Ya, I can't tell you how many times I verified the IPSec settings Magically, the connection was established last night as I left it on while doing some other work. When I returned to have another look, the connection was made. I tried this current configuration multiple times to no avail, so I am baffled as to what the resolution was I'm booking a meeting with a guy at the other side to start pulling parts and pieces apart to determine the issue One thing I noticed is that the initial attempts to connect were using port 4500 and the established tunnel is on 500 (I have no firewall logs blocking this and I have rules on WAN in place explicitly allowing UDP 500/4500 and ESP. Perhaps their end isn't liking the 4500 (they told me they are good with the UDP 4500 mind you) Sort of feels like Cisco just not wanting to play nice in the sandbox with the other kids. I'll update with any resolution(s) or comments here

@Juan-Carlos-Gtz Hey You're only allowed TCP on the interface IPSEC Mex 2. Other protocols are prohibited. In order to use ping you need to enable ICMP.

[image: 1553357748255-pfs2.jpg] [image: 1553357756563-azurepfs.png]

Then post what you have because it most certainly does work.

Might be better to use FRR in place of OpenBGP.

Excellent questions. I will check when it happens again. I appreciate you replying so quickly. -Andrew G

Removed all config and re did all config on both pfsense and Cisco and it now works. Dont know why it works as I din't change any settings....

I assume some things here which may be wrong: one pfSense cluster = HA group Azure connection = your IPSEC goes to your Azure server/cluster We use a setup something like this one currently, just not connected to Azure but another third party. This has been used for a few years now with no issues. We only have one pfSense though, not an HA group on our side. For the interface, we use a two-tiered gateway failover group, and on the other side, there are two profiles set, one for each of our VPN IPs. I imagine a load balance group would work the same for IPSEC, just not prefer one over the other? By the time we replace our aging firewall with an HA failover group, we could use the CARP IPs in the failover group I guess? In reality, we'll likely go for BGP as well by then, but our IPSEC solution currently works fine without BGP. If I have misunderstood something, then please elaborate.

Yes I tried disabling TCP offloading, and it reduced my throughput by 80%. I re-enabled it. I am getting the full 150Mbps over SMB on the PFSense tunnel, that is not the issue. I am sorry, it can be difficult to explain these issues using only text and I may not be explaining this correctly. Throughput is good! Random filesystem access is bad. Example: I search the SMB shared for all jpg files. Using the 50Mbps Cisco tunnel, it takes 5 minutes. Using the 150Mbps PFsense tunnel, it takes 15 minutes. It is an odd issue to have, and one I have not seen before.

don't know why, but suddenly it's working. I just deleted phase 2 and recreated it...