https://community.cisco.com/t5/network-security/multi-route-based-vpn-s-to-azure/m-p/3814847#M6646 <P>Personally I would create the tunnels and establish BGP neighbourship across it and let the azure end advertise the relevant vnets towards your organisation</P> Wed, 06 Mar 2019 11:17:41 GMT Dennis Mink 2019-03-06T11:17:41Z https://community.cisco.com/t5/network-security/multi-route-based-vpn-s-to-azure/m-p/3813599#M6643 <P>Hi we have 5 Site to site VPN's to Microsoft Azure, which are setup as Route based the Azure end, and Policy based VPN on the ASA 5515-x Latest Firmware</P> <P>The site to site VPN's Connect OK and pass traffic Fine but sometimes stop passing traffic, we have to disconnect the VPNs and let them reconnect a few times before they start to pass traffic again.</P> <P>&nbsp;</P> <P>We have been advised too setup route based the ASA end, but i need to know how the ASA is going to determine which VPN to send traffic down when all the Configuration examples we have&nbsp; stat 0.0.0.0/0 for both source and destination</P> <P>&nbsp;</P> <P>Also is this going to have an impact on generally internet Traffic?</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 16:53:39 GMT https://community.cisco.com/t5/network-security/multi-route-based-vpn-s-to-azure/m-p/3813599#M6643 twstevensuk 2020-02-21T16:53:39Z https://community.cisco.com/t5/network-security/multi-route-based-vpn-s-to-azure/m-p/3813887#M6644 <P>The barebones concept of VTI and tunnel-protection is that any traffic that is routed to the tunnel interface is encrypted and send to the other end. So in your case, you can have 5 VTI interfaces with tunnel-protection enabled. Since they seem to be working using policy based VPN's today, the Azure networks have independent network ranges. All you would have to do is create routes for those networks pointing to the VTI ip address of the other end. Or if you have the ability to run BGP on Azure, this should automatically add routes to the ASA's routing table to send it to the right tunnel.&nbsp;</P> <P>&nbsp;</P> <P>I tried looking for sample configurations with Azure and the closest I could find was this:</P> <P><A href="https://www.geekshangout.com/azure-site-to-site-vpn-with-a-cisco-asa-using-asdm/" target="_blank">https://www.geekshangout.com/azure-site-to-site-vpn-with-a-cisco-asa-using-asdm/</A></P> <P>&nbsp;</P> <P>Hope this helps.&nbsp;</P> Mon, 04 Mar 2019 22:47:45 GMT https://community.cisco.com/t5/network-security/multi-route-based-vpn-s-to-azure/m-p/3813887#M6644 Rahul Govindan 2019-03-04T22:47:45Z https://community.cisco.com/t5/network-security/multi-route-based-vpn-s-to-azure/m-p/3814457#M6645 <P>Configure a VTI on the ASA, i had the same issue when i created a ipsec IKEV2 tunnel</P> Tue, 05 Mar 2019 19:04:28 GMT https://community.cisco.com/t5/network-security/multi-route-based-vpn-s-to-azure/m-p/3814457#M6645 trevstan 2019-03-05T19:04:28Z https://community.cisco.com/t5/network-security/multi-route-based-vpn-s-to-azure/m-p/3814847#M6646 <P>Personally I would create the tunnels and establish BGP neighbourship across it and let the azure end advertise the relevant vnets towards your organisation</P> Wed, 06 Mar 2019 11:17:41 GMT https://community.cisco.com/t5/network-security/multi-route-based-vpn-s-to-azure/m-p/3814847#M6646 Dennis Mink 2019-03-06T11:17:41Z