Hi @Meissner, Glenn,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
We have understood that you want to create a Site-to-Site VPN connection from On-Prem to Azure.
Please cross verify the below steps once again while doing Azure VPN Site to a Site:
- From Azure side you need to deploy a VNet and a gateway subnet, in that gateway subnet deploy a VPN gateway.
- Next you need to configure a Local Network Gateway by providing the public IP and Local LAN IP series.
- Next configure a remote access server in On-Prem by providing the VPN Public IP and VNet IP range.
- Next create a connection between VPN and Local network gateway and also provide the pre-shared key in both the environments.
- Finally configure a static route in On-Prem Network Interface.
- Next the resources in on-prem can communicate with azure. you can connect the VM by using private IP through VNPN.
For your reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
Please have a look at the below troubleshooting steps:
- Please check both devices are online or not. Go to Security & SD-WAN > Monitor > VPN status page for each side's Dashboard network
- On the remote side's Dashboard network, navigate to Security & SD-WAN > Configure > Site-to-site VPN. Under Local networks, make sure the Use VPN toggle is set to Yes for the subnet you're trying to reach. You should also check these settings on your local site's Dashboard network to ensure that the subnet you're connecting from is also advertised.
- If using a full tunnel configuration, bear in mind that when specifying a prefix to be part of a VPN, everything covered by that prefix will be allowed in the VPN. Therefore, subnets that overlap will cause traffic in a more specific subnet to be sent through the VPN, even if it is not configured to be included in the VPN. For example, if 10.0.0.0/16 is configured to be included in the VPN but 10.0.1.0/24 is not, traffic sourced from 10.0.1.50 will still be sent over the VPN.
- In addition to any non-Meraki firewalls on the network that may be blocking this traffic, check the Security & SD-WAN > Configure > Site-to-site VPN > Organization-wide settings section to see if there are any Site-to-site outbound firewall rules.
- If the WAN Appliance is not the only gateway in the network (e.g. the WAN Appliance is connected to a layer 3 switch or router with its own directly connected networks), any devices that are not using the WAN Appliance as their gateway will need their traffic routed to the WAN Appliance in order to send traffic across the VPN. Make sure any other routing devices on the network have a route that allows them to access the remote VPN subnets via the WAN Appliance's local IP address.
- If the device on each end is on a subnet that overlaps with the other side, the WAN Appliance will be unable to route traffic to the other side as it will believe the traffic is destined for the local network. It is recommended to have unique subnets with no overlap on each network connected to the VPN.
Please go through the document: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#devicetable:~:text=Cisco-,Meraki%20(MX),-MX%20v15.12
Kindly let us know if the above helps or you need further assistance on this issue.
If this answers your query, I would appreciate it if you could accept the response as a "Accept Answer" and "Upvote it" so that it can help other members of the community who may be experiencing similar challenges.
Thanks,
Sai Prasanna.