Azure VPN with Azure Traffic Manager

Question

Azure VPN with Azure Traffic Manager

Saurabh Jain 6

Hi,

Does anyone have any information about deploying Azure Traffic manager for Azure VPN P2S connections created at 2 different locations.
We have successfully configured P2S connections on 2 different Azure region and both are able to connect from client machine separately but when we try Azure Traffic manager to load balance the traffic based on performance, the clients refuse to connect to VPN and error shown as below.

Application event log shows below error:

KapilAnanth-MSFT 11,611 Reputation points Microsoft Employee

2022-08-18T06:15:08.407+00:00

Hi @Saurabh Jain ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to load balance P2S VPN connectivity using Traffic Manager.

As mentioned by @Tristan McCosker , you will be required to use the FQDN for connecting to Azure VPN.
You can explore the other methods suggested by Tristan.

Please let me know if you would require more information.

Thanks,
Kapil
Eric Lim 1 Reputation point

2022-10-18T07:27:15.08+00:00

Will this be workable if the P2S authentication is Radius or Azure AD and not certificate?
KapilAnanth-MSFT 11,611 Reputation points Microsoft Employee

2022-10-18T07:33:48.55+00:00

Hi @Eric Lim ,

No, authentication does not impact the FQDN mismatch issue.
Even with Radius or Azure AD authentication, we will be having the same challenge.

Thanks,
Kapil

KapilAnanth-MSFT 11,611 Reputation points Microsoft Employee

2022-08-18T06:15:08.407+00:00

Hi @Saurabh Jain ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to load balance P2S VPN connectivity using Traffic Manager.

As mentioned by @Tristan McCosker , you will be required to use the FQDN for connecting to Azure VPN.
You can explore the other methods suggested by Tristan.

Please let me know if you would require more information.

Thanks,
Kapil
Eric Lim 1 Reputation point

2022-10-18T07:27:15.08+00:00

Will this be workable if the P2S authentication is Radius or Azure AD and not certificate?
KapilAnanth-MSFT 11,611 Reputation points Microsoft Employee

2022-10-18T07:33:48.55+00:00

Hi @Eric Lim ,

No, authentication does not impact the FQDN mismatch issue.
Even with Radius or Azure AD authentication, we will be having the same challenge.

Thanks,
Kapil

Answer 1

Hi,

The error code you are getting (13801) indicates an issue with certificate authentication, Microsoft's documentation says:
"Verify that the VPN client connects by using the FQDN of the VPN server as presented on the VPN server's certificate."
https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-troubleshooting

With your configuration, the subjectName on the certificate presented (from the VPN Gateway) will never match the address you are connecting to (TM Front-end). I'm not aware of any way to bypass this check within Windows. You could verify that this is the issue by creating a generic CNAME DNS record which points to the your VPN gateway and attempting to connect to that, I suspect you will get the exact same error.

One thing you could try is adding your Traffic Manager DNS address as a Subject Alternate Name on VPN Gateway Certificate, if you have a custom cert configured.

You may need to use an alternate method to direct end-users to the correct VPN gateway, I'd suggest different MEM/SCCM policies for machines in different locations.

Kind regards,
Tristan

Saurabh Jain 6 Reputation points

2022-08-19T03:49:15.173+00:00

Hi Tristan,

Thanks for the clarification.

Wanted to know how we can use a custom cert configuration because P2S configuration do not give me any option to customize the cert. It only gives me option to download the VPN client configuration and certs are already included with it.

Regards,
Saurabh
KapilAnanth-MSFT 11,611 Reputation points Microsoft Employee

2022-08-19T07:44:33.01+00:00

Hi @Saurabh Jain ,

Hope you got a chance to review my previous comment.

We cannot customize the FQDN(domain) of the VPN Gateway.
The ideal way to achieve your requirement would be to leverage a different mechanism.

One such way I can think of is to use intune to select a particular gateway based on the latency from the client machine.
P.S : This would require both the P2S Configurations to be present in the device.

Please let me know if you need more information.

Thanks,
Kapil.

Azure VPN with Azure Traffic Manager

1 answer

Activity