[ Gateway Connection ] Traffic Selectors not working for 2 or more subnets.

Thales Claro 1 Reputation point
2021-03-31T01:16:23.16+00:00

Currently we managed to deploy and connect our Route based gateway between azure and Cisco ASA, which works fine for only one of the subnets defined on trafficSelectorPolicies. Which means that currently, we are only able to test connection from resources from of 10.0.1.0/24 local subnet. 

{
    "name": "Connection",
    "id": "*****",
    "etag": "***",
    "type": "Microsoft.Network/connections",
    "location": "northeurope",
    "tags": {},
    "properties": {
        "provisioningState": "Succeeded",
        "resourceGuid": "***",
        "virtualNetworkGateway1": {
            "id": "***"
        },
        "localNetworkGateway2": {
            "id": "***"
        },
        "connectionType": "IPsec",
        "connectionProtocol": "IKEv2",
        "routingWeight": 3,
        "sharedKey": "***",
        "enableBgp": false,
        "useLocalAzureIpAddress": false,
        "usePolicyBasedTrafficSelectors": true,
        "ipsecPolicies": [
            {
                "saLifeTimeSeconds": 3600,
                "saDataSizeKilobytes": 102400000,
                "ipsecEncryption": "AES256",
                "ipsecIntegrity": "SHA256",
                "ikeEncryption": "AES256",
                "ikeIntegrity": "SHA256",
                "dhGroup": "DHGroup2",
                "pfsGroup": "PFS2"
            }
        ],
        "trafficSelectorPolicies": [
            {
                "localAddressRanges": [
                    "10.0.1.0/24",
                    "10.0.2.0/24"
                ],
                "remoteAddressRanges": [
                    "30.**.**.0/23"
                ]
            }
        ],
        "connectionStatus": "Connected",
        "ingressBytesTransferred": 15800,
        "egressBytesTransferred": 25908,
        "dpdTimeoutSeconds": 0,
        "connectionMode": "Default"
    }
}

Does anyone had a similar issue and cross around a solution for this case?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,368 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 17,176 Reputation points
    2021-04-02T19:53:03.067+00:00

    @Thales Claro

    Thank you for reaching out to Microsoft Q&A. I understand that you are trying to connect Azure Route Based VPN to Cisco ASA which is using a Policy based VPN and with this setup you are only able to connect to one of the subnets and not the other.

    In order to work around this, configure Azure route-based VPN gateways to use prefix-based traffic selectors with option "PolicyBasedTrafficSelectors", to connect to on-premises policy-based VPN devices. This capability allows you to connect from an Azure virtual network and VPN gateway to multiple on-premises policy-based VPN/firewall devices, removing the single connection limit from the current Azure policy-based VPN gateways.84095-2021-04-02-12-48-00-test-microsoft-azure-and-2-mor.png

    Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

  2. Thales Claro 1 Reputation point
    2021-04-10T02:01:48.477+00:00

    Hi @SaiKishor-MSFT

    Thanks for the feedback, currently I do have policy based selectors enabled like you can see on line 23 and selector policies between lines 36 and 46. At the moment, no progress where made.