Routes for the destination are missing in the virtual network gateway

Question

Hi,

We set up a connection monitor for ICMP between two Windows Virtual Machine in different regions. The communication between these regions is established by a Fortigate NVA (FW/VPN) relaying over the On Premise Network. In both Virtual Networks routing tables exist having a default route (0.0.0.0/0) set to the Fortigate inbound IP (10.5.33.20).

   Name           State   Source  NextHopType                   NextHopIpAddress AddressPrefix                              
   \----           -----   ------  -----------                   ---------------- -------------                              
                  Active  Default VnetLocal                     {}               {10.5.32.0/22}                                                       
   DefaultRoute   Active  User    VirtualAppliance              {10.5.33.20}     {0.0.0.0/0}                                
   PTVNetOverride Active  User    VirtualAppliance              {10.5.33.20}     {10.5.44.0/22}                             
   PPVNetOverride Active  User    VirtualAppliance              {10.5.33.20}     {10.5.40.0/22}  

Communications work fine, as well as the monitoring and alerting. We have however two issues:

1. In the topology overview an issue occurs stating that Routes for the destination are missing in the virtual network gateway.
   When using the trouble shoot feature on the Network Watcher the error returned is: {"origin":"Outbound","severity":"Error","type":"NoRouteLearned","context":[]}
2. When the Fortigate Firewall goes down for maintenance, the monitoring stops working. The only way to restart monitoring is to reboot the Windows VM, and everything goes back on line.

My questions are, what is the origin of the issue of missing routes. And is the failure of monitoring when communication stops for a while related to this issue, or is there something else wrong. What would be the best way to restart/continue monitoring in these cases?

Answer 1

Hi @Arjen Gerritsen ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you have set up VPN routing via VPN Gateway and have also set up monitoring via Network Watcher.

You stated that, from your NVA, you were not able to see the next Hop ranges for your OnPrem address range.

From further troubleshooting, it was found that you are actually not using a VPN gateway, but your own NVA (IaaS VM) to build the Tunnel.

In this case, I suggested that the routes are as expected.

The fact that you are using a custom VPN solution means, Azure Platform will not have visibility to the remote address range.
This makes sense, as your NVA -------- OnPrem Tunnel is built over Internet and is encrypted.

So, the route 0.0.0.0/0 -------> Internet represents your encrypted VPN traffic. (actual remote address range being not visible to platform)

The Topology view leverages Routes visible to platform, and will not know the OnPrem address range.
Hence the error.

For the Network Watcher ping error, we will need a specialized 1:1 session.
If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

You informed that currently you are not facing issues with the ping failures.

I hope this discussion helped you.

Cheers,
Kapil

----------------------------------------------------------------------------------------------------------------

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.