Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,693 questions
Strange Problem when replacing VPN Gateway with NVA (IPsec tunnel to on-prem) and App service VNET integration
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 86%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZS%3C/text%3E%3C/svg%3E)
Zarko Sokolov
0
Reputation points
Hello,
i got very strange problem in process of replacing Azure VPN gateway with NVA.
VPN gateway is used for IPsec tunnel to enable communication between App Service with enabled VNET integration and on-premise Windows Server.
Process was this:
Deployed and configured NVA and corresponding IPSec tunnel.
Created new tunnel on on-prem Firewall
Disabled old tunnel (vpngateway <-> on-prem FW)
Enabled New tunnel (NVA <-> on-prem FW)
Added Routing table on subnet delegated to Microsoft.Web/serverFarms (App Service)
Communication was established between App Service and on-prem Server using New tunnel(nva<->on-prem FW)
Started Process of removing Azure VPN Gateway, Removed ipsec connection,. Removed Local Network Gateway and finally VPN Gateway itself
Traffic flow from App Service thru IPSec tunnel (nva<->on-prem FW) Stopped! connection tracking in nva not showing any communication, tcpping in kudu cmd showing time out!
Deployed new Azure Gateway, Traffic flow started again thru ipsec tunnel (nva<->on-prem FW).
What i am missing in process of removing VPN Gateway but keeping traffic flowing ?
Thanks
Zarko Sokolov
{count} votes
-
KapilAnanth-MSFT 49,021 Reputation points Microsoft Employee2024-02-01T13:06:05.6033333+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Per your verbatim, this looks like an issue from configuring the 3rd party NVA.
Before checking connectivity from VNET Integrated App Service to the OnPrem servers,
- You must validate this via a VM in Azure to the OnPrem servers
- Please test the connectivity from a testVM in the same VNET as the VNET Integrated App Service to the OnPrem servers.
- And confirm if this is working or not.
Cheers,
Kapil
-
Zarko Sokolov 0 Reputation points
2024-02-01T13:24:16.2466667+00:00 Hello @KapilAnanth-MSFT
should i remove VPN Gateway and test connectivity?
i don't understand how existence of VPN Gateway don`t produce this situation. -
KapilAnanth-MSFT 49,021 Reputation points Microsoft Employee
2024-02-01T13:47:50.79+00:00 Existence of VPN gateway means the traffic is flowing via the VPN Gateway.
Can you confirm,
- When both VPN Gateway (with Tunnel connected to the OnPREM) and your NVA ( with a tunnel of it's own connected to OnPrem) co-exists,
- is the connectivity fine?
- The connectivity is fine only with Azure VPN Gateway Tunnel. i.e., NVA Tunnel does not exist.
- is connectivity fine
- When both VPN Gateway (with Tunnel connected to the OnPREM) and your NVA ( with a tunnel of it's own connected to OnPrem) co-exists,
-
KapilAnanth-MSFT 49,021 Reputation points Microsoft Employee
2024-02-02T12:51:44.31+00:00 May I know if you got a chance to review my previous comment?
Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.
Thanks,
Kapil
-
Zarko Sokolov 0 Reputation points
2024-02-02T16:18:11.6966667+00:00 Hello @KapilAnanth-MSFT
this is client production environment and can`t be modified without approval.about your question,
this scenario works,- VPN Gateway with configured IPSec tunnel to on-prem Firewall. NVA IPSec tunnel disabled.
- NVA with configured IPSec tunnel to on-prem Firewall, VPN Gateway exist in VNET but IPSec tunnel disabled on on-prem Firewall.
this scenario dont work,
- NVA with configured IPSec tunnel to on-prem Firewall, VPN Gateway removed from subscription, also local network gateway removed.
thanks
-
KapilAnanth-MSFT 49,021 Reputation points Microsoft Employee
2024-02-07T05:23:20.4+00:00 This is indeed strange.
As next Steps, you should check the VM effective routes for the below scenarios.
- NVA with configured IPSec tunnel to on-prem Firewall, VPN Gateway removed from VNET (non - working)
- NVA with configured IPSec tunnel to on-prem Firewall, VPN Gateway still exists in VNET but there is no S2S Connection from this VPN Gw. (working)
To check effective VM Routes,
- See : Diagnose a virtual machine routing problem
- I am interested in the traffic/address space of the OnPrem and the corresponding nextHop type.
NOTE : As said earlier, using a VM for testing would help us arrive at conclusions faster. Post this, we can test for VNET Integrated App Service.
Thanks.
Kapil
-
Zarko Sokolov 0 Reputation points
2024-02-15T09:07:25.5033333+00:00 Hello Kapil, idea of checking routes is not posible as subnet is linked to web server farms and doesnt give option to attach vm nic. i am waiting for maintenance window from client to test scenario u proposed.
tnx -
KapilAnanth-MSFT 49,021 Reputation points Microsoft Employee
2024-02-16T05:17:10.8233333+00:00 Thanks for letting me know.
If possible, please test it with a TestVM in a TestSubnet in the same VNET. (not the one delegated to the web server farms).
Cheers,
Kapil
Sign in to comment
Sign in to answer