Azure VPN with Azure Traffic Manager

Saurabh Jain 6 Reputation points
2022-08-17T10:33:49.453+00:00

Hi,

Does anyone have any information about deploying Azure Traffic manager for Azure VPN P2S connections created at 2 different locations.
We have successfully configured P2S connections on 2 different Azure region and both are able to connect from client machine separately but when we try Azure Traffic manager to load balance the traffic based on performance, the clients refuse to connect to VPN and error shown as below.

231974-image.png

Application event log shows below error:

232002-image.png

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,371 questions
Azure Traffic Manager
Azure Traffic Manager
An Azure service that is used to route incoming network traffic for high performance and availability.
110 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Tristan McCosker 1 Reputation point
    2022-08-17T23:57:15.157+00:00

    Hi,

    The error code you are getting (13801) indicates an issue with certificate authentication, Microsoft's documentation says:
    "Verify that the VPN client connects by using the FQDN of the VPN server as presented on the VPN server's certificate."
    https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-troubleshooting

    With your configuration, the subjectName on the certificate presented (from the VPN Gateway) will never match the address you are connecting to (TM Front-end). I'm not aware of any way to bypass this check within Windows. You could verify that this is the issue by creating a generic CNAME DNS record which points to the your VPN gateway and attempting to connect to that, I suspect you will get the exact same error.

    One thing you could try is adding your Traffic Manager DNS address as a Subject Alternate Name on VPN Gateway Certificate, if you have a custom cert configured.

    You may need to use an alternate method to direct end-users to the correct VPN gateway, I'd suggest different MEM/SCCM policies for machines in different locations.

    Kind regards,
    Tristan