Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
188 questions
Virtual WAN with Cisco two VTI
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 38%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENA%3C/text%3E%3C/svg%3E)
Nikoloz Abuashvili
0
Reputation points
I have an implementation of Azure Cloud utilizing Virtual WAN for interconnection with on premise.
I'm using Virtual WAN, from virtual HUB -> VPN(Site-to-Site) trying to connect to on-premise Cisco router.
There are two virtual gateways on azure side:
instance-0 (10.103.0.13)
instance-1 (10.103.0.12)
On-premise side I have router with loopback-address: 172.22.12.141
it's a bgp source address
1 bgp peering is 10.103.0.13 <-> 172.22.12.141
2 bgp peering is 10.103.0.12 <-> 172.22.12.141
My problem is with VTI tunnels over IPSEC, looks like it is impossible to figure out an exact ip address for that Tunnel to use on premise, If I take an IP address from Hub private address space (10.103.0.0/23), for example 10.103.0.102/23 for the vti interface-1, than BGP is UP just one peering (10.103.0.13 <-> 172.22.12.141)
On the second VTI interface it is impossible to assign IP from same IP-range (10.103.0.0/23) due to subnet mask limitation.
At this point i fall into condition where there is no documentation regarding addressing of second VTI tunnel nor a configuration file which i have downloaded has an ip address described, to move further with implementation i need a bit of help.
{count} votes
-
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee2024-03-06T11:36:40.5366667+00:00 Hello @Nikoloz Abuashvili ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you are trying to setup a site-to-site VPN from Azure Virtual Hub to your on-premises Cisco dual VTI VPN device and the BGP is coming UP for just one peering.
The Azure Virtual WAN documentation for Branch IPsec connectivity partners has Cisco Meraki listed with the below deployment guide from Cisco:
This Cisco deployment guide states the below:
I'm not quite sure which Cisco device you are using but as this question is more inclined towards to configuration on the Cisco device, I would suggest reaching out to the Cisco experts/community for further assistance.
https://community.cisco.com/t5/sd-wan-and-cloud-networking/bd-p/discussions-sd-wan
Regards,
Gita
-
Nikoloz Abuashvili 0 Reputation points
2024-03-06T12:19:41.63+00:00 The question is not about Cisco router configuration , the question is about Azure Wan-hub-VPN (site-to-site) configuration possibilities.
The problem is that Azure is provisioning us with one /23 network described in hub private address space for two peerings and it is imposible to have two perings on one device on our side (which i have mentioned above in our case is cisco router).
So far the conclusion is that it is not possible to have two vpn interconnections from one on-premise cisco router to Azure Wan-hub-VPN (Site to site)?
-
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
2024-03-07T13:00:09.89+00:00 You mentioned "There are two virtual gateways on azure side", but I assume you mean to say 1 virtual wan vpn gateway which has 2 active instances. Please validate this.
You also mentioned "My problem is with VTI tunnels over IPSEC, looks like it is impossible to figure out an exact IP address for that Tunnel to use on premise", which setting, or VPN device configuration are you referring to here?
As per Azure Virtual WAN doc,
IP addresses of the virtual hub vpngateway. Because each vpngateway connection is composed of two tunnels in active-active configuration, you'll see both IP addresses listed in this file. In this example, you see "Instance0" and "Instance1" for each site.
Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-site-to-site-portal#config-file
For more information on the Azure Virtual WAN VPN Gateway configuration options, please refer the below doc:
https://github.com/hsze/VWAN-VPNGW
Regards,
Gita
-
Nikoloz Abuashvili 0 Reputation points
2024-03-12T05:58:06.7633333+00:00 Yes, I have one Virtual WAN with one Hub, one VPN site to site with two gateway instances.
PUBLIC "IP addresses": {
"Instance0": "20.218.X.X",
"Instance1": "20.218.X.X"
}
And
"BgpPeeringAddresses": {
"Instance0": "10.103.0.13",
"Instance1": "10.103.0.12"
}
Above private IP addresses are for Azure BGP peering, there are no additional IP addresses in the file for my side, but from the BGP configuration I know that on my side there is only one IP address for BGP peering.
"BgpPeeringAddress": "172.22.13.141"
for example this could be a Loopback for BGP peering with instances 0–1.
So where are the VTI tunnel IP addresses on my end?
how can I take two IP addresses from the same range 10.103.0.0?
connect two peers?
-
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
2024-03-14T12:44:30.2333333+00:00 Hello @Nikoloz Abuashvili ,
Apologies for the delay in response.
Wrt "So where are the VTI tunnel IP addresses on my end? how can I take two IP addresses from the same range 10.103.0.0?"
- We are not aware of the terminologies used here.
- As you can see, we have two BGP IP Addresses 10.103.0.12 and 10.103.0.13
- You should be able to use a single device (On-premises) to establish two BGP Connections to VPN gateway as long as the on-prem device supports it i.e.,
172.22.13.141 to 10.103.0.12
172.22.13.141 to 10.103.0.13
- Refer: About Highly Available gateway configurations - Azure VPN Gateway | Microsoft Learn and https://github.com/hsze/VWAN-VPNGW
Using BGP with two active-active tunnels on both sides have some requirements on the on-premises VPN appliance. You need to validate whether your on-premises VPN device can run BGP over two tunnels over one public IP address. If not, you would need a second public IP address on a second WAN interface.
Like I mentioned above, VPN devices such as Cisco Meraki and Cisco ASA does not support Equal Cost Multipath and therefore cannot have 2 VPN tunnels to the same destination (private subnet). They don't support looping back to 2 BGP peering addresses in Azure over a single public IP.
Regards,
Gita
-
Nikoloz Abuashvili 0 Reputation points
2024-03-15T10:05:15.79+00:00 Hello,
If the VPN-VTI terminology is not familiar for Microsoft, then there is no point in continuing the discussion, I do not have a Cisco Meraki, not a Cisco ASA, I have a Cisco router, It's a simplest device that can build a tunnel, VPN or BGP. I somehow already solved my problem, but I think it’s not logical and it shouldn’t be that way. I didn’t receive an answer from you either, just some links to documentation that was not clear and not full. Virtual WAN does not have any normal documentation for network, there are no normal examples anywhere, other providers such as AWS, Oracle Cloud or Google Cloud, have a lot of examples, everything is intuitive and clear on the network part.
Thank you for your support
-
Nikoloz Abuashvili 0 Reputation points
2024-03-15T10:06:05.0566667+00:00 Hello,
If the VPN-VTI terminology is not familiar for Microsoft, then there is no point in continuing the discussion, I do not have a Cisco Meraki, not a Cisco ASA, I have a Cisco router, It's a simplest device that can build a tunnel, VPN or BGP. I somehow already solved my problem, but I think it’s not logical and it shouldn’t be that way. I didn’t receive an answer from you either, just some links to documentation that was not clear and not full. Virtual WAN does not have any normal documentation for network, there are no normal examples anywhere, other providers such as AWS, Oracle Cloud or Google Cloud, have a lot of examples, everything is intuitive and clear on the network part.
Thank you for your support
-
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
2024-03-15T12:45:21.2566667+00:00 Apologies for the inconvenience caused.
I will work internally with the Azure Virtual WAN Product Group team to update the documents to add more information.
I'm glad to hear that you were able to solve the issue.
Regards,
Gita
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 82%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESZ%3C/text%3E%3C/svg%3E)
Sergey Zubov 0 Reputation points2024-04-16T10:01:30.9266667+00:00 @Nikoloz Abuashvili , Hello.
How have you fixed this issue? asking this ,because is facing with the same problem.....
Thanks in advance!
Sign in to comment