Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1033
Views
0
Helpful
3
Replies

Multi Route Based VPN's to Azure

twstevensuk
Level 1
Level 1

‎03-04-2019 07:30 AM - edited ‎02-21-2020 08:53 AM

Hi we have 5 Site to site VPN's to Microsoft Azure, which are setup as Route based the Azure end, and Policy based VPN on the ASA 5515-x Latest Firmware

The site to site VPN's Connect OK and pass traffic Fine but sometimes stop passing traffic, we have to disconnect the VPNs and let them reconnect a few times before they start to pass traffic again.

 

We have been advised too setup route based the ASA end, but i need to know how the ASA is going to determine which VPN to send traffic down when all the Configuration examples we have  stat 0.0.0.0/0 for both source and destination

 

Also is this going to have an impact on generally internet Traffic?

 

 

0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎03-04-2019 02:47 PM

The barebones concept of VTI and tunnel-protection is that any traffic that is routed to the tunnel interface is encrypted and send to the other end. So in your case, you can have 5 VTI interfaces with tunnel-protection enabled. Since they seem to be working using policy based VPN's today, the Azure networks have independent network ranges. All you would have to do is create routes for those networks pointing to the VTI ip address of the other end. Or if you have the ability to run BGP on Azure, this should automatically add routes to the ASA's routing table to send it to the right tunnel. 

 

I tried looking for sample configurations with Azure and the closest I could find was this:

https://www.geekshangout.com/azure-site-to-site-vpn-with-a-cisco-asa-using-asdm/

 

Hope this helps. 

0 Helpful

trevstan
Level 1
Level 1

‎03-05-2019 11:04 AM

Configure a VTI on the ASA, i had the same issue when i created a ipsec IKEV2 tunnel

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎03-06-2019 03:17 AM

Personally I would create the tunnels and establish BGP neighbourship across it and let the azure end advertise the relevant vnets towards your organisation

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card