Redundant VPN over Expressroute private peering - packet loss issue

Mateen Baig 71 Reputation points
2023-04-26T13:11:53.9366667+00:00

I have configured two VPN connections over expressroute private peering with private IPs using BGP. VPN connection : From routers 1 loopback1 & router 2 loopback 2 to Azure VPN gateway private IP X.X.X.6. BGP: From routers 1 loopback1 & router 2 loopback 2 to Azure VPN gateway BGP peer IP X.X.X.62. BGP is configured making router 2 backup using BGP as-path. Expressroute interfaces are in its own VRF only allowing only VPN traffic through. more specific routes are advertised on though VPN.

  • Failover from router 1 to 2 and back works fine with express route.
  • Failover works fine with Express route and 1 VPN connection.
  • Failover works fine with Express route and 2 VPN connections but there is dataloss.
  • There is data loss when both VPNs are connected Issue is that when both the VPN are connected there is packet loss from Azure to on-prem. It looks like some traffic is sent on backup tunnel event tough BGP as-path is configured. @KapilAnanth-MSFT any suggestions ?
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,556 questions
Azure ExpressRoute
Azure ExpressRoute
An Azure service that provides private connections between Azure datacenters and infrastructure, either on premises or in a colocation environment.
381 questions
{count} votes

1 answer

Sort by: Most helpful
  1. KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee
    2023-05-03T05:11:54.05+00:00

    @Mateen Baig

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I shall summarize our discussion and post it as an answer.

    Kindly Accept the answer, as this can be beneficial to other community members and close this thread.

    • You have VPN Gateway in Active-Passive mode.
    • And two VPN Devices/Tunnels that originate from the OnPrem
    • And these tunnels are built over the ExR Private Peering making use of VPN Gw Private IPs
    • It appears that there is a traffic loss when both the VPN Tunnels are connected simultaneously.

    Azure always honors BGP path prepend and as such, should only prefer one tunnel which has a shorter path.

    To isolate the issue,

    Please go for a packet capture at both Azure VPN Gateway and OnPrem device and isolate where the traffic is being sent to the secondary tunnel.

    • Start a continuous tcpping or icmp ping from OnPrem to Azure
    • Then start the capture.
    • Check if the packets are being sent via the primary tunnel or secondary tunnel - This should confirm if the OnPrem is honoring the primary tunnel or secondary tunnel.
    • Similarly, you can check from Azure side as well.

    You wanted to know what address range needs to be set in the LNG Address space.

    • Local Network Gateways on both the VPN connections need to have same address prefixes which represent on-prem networks
    • It's better to leave the address prefixes empty when using BGP
    • The BGP will automatically advertise the routes between the tunnels
    • User's image
    • Configure BGP for VPN Gateway

    Thanks,

    Kapil


    Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.

    Here is how

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.