One of the IP addresses for the P2S VPN does not work.

Chris Musgrave 0 Reputation points
2023-06-07T11:38:37.3266667+00:00

I have set up an Azure VWAN, with a P2S VPN gateway, with AzureAD Authentication.

This works fine, half the time.

Digging into packet captures and for about half the connection attempts we are getting http/400 error returns when attempting to connect to the P2S VPN Gateway.

When the AzureVPN client tries the connection it performs a DNS query for the virtual hub P2S VPN gateway address which resolves to a traffic manager domain address.

It seems Azure / Traffic manager's DNS server is giving out 2 different IP addresses for our VPN gateway, one connects fine the other seems to always return the HTTP/400 error. I assume the 2 IP addresses are because the gateway is set up to use availability zones (as is standard for VPN gateways associated with VirtualWans).

I have tried resetting the P2S VPN Gateway and the Virtual Hub, neither of which fixed the issue of the 2nd ip address returning the http/400 error.

Is there a way to prevent the 2nd IP address from being returned by the traffic manager dns query, or find out why the 2nd ip address returns the error?

Do I need to delete the P2S VPN gateway and create a new one?

We do not have a S2S VPN GW enabled on this Virtual Wan (it may have been removed after the virtual wan was created).

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
189 questions
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,389 questions
Azure Traffic Manager
Azure Traffic Manager
An Azure service that is used to route incoming network traffic for high performance and availability.
110 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KapilAnanth-MSFT 35,246 Reputation points Microsoft Employee
    2023-06-08T04:59:39.1733333+00:00

    Hi @Chris Musgrave

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I believe this is happening because you have downloaded the global profile client configuration from the vWAN and not from the Hub (of that region).

    Refer : Generate client configuration files | Global vs Hub

    There are two different types of configuration profiles that you can download: global and hub. The global profile is a WAN-level configuration profile. When you download the WAN-level configuration profile, you get a built-in Traffic Manager-based User VPN profile. When you use a global profile, if for some reason a hub is unavailable, the built-in traffic management provided by the service ensures connectivity (via a different hub) to Azure resources for point-to-site users.

    To download Hub profile : Download a hub VPN profile

    Can you please redownload the Client configuration from the vHUB and not the vWAN and see if this error is reproducible?

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    1 person found this answer helpful.