Multi Route Based VPN's to Azure

twstevensuk · ‎03-04-2019

Hi we have 5 Site to site VPN's to Microsoft Azure, which are setup as Route based the Azure end, and Policy based VPN on the ASA 5515-x Latest Firmware

The site to site VPN's Connect OK and pass traffic Fine but sometimes stop passing traffic, we have to disconnect the VPNs and let them reconnect a few times before they start to pass traffic again.

We have been advised too setup route based the ASA end, but i need to know how the ASA is going to determine which VPN to send traffic down when all the Configuration examples we have stat 0.0.0.0/0 for both source and destination

Also is this going to have an impact on generally internet Traffic?

Rahul Govindan · ‎03-04-2019

The barebones concept of VTI and tunnel-protection is that any traffic that is routed to the tunnel interface is encrypted and send to the other end. So in your case, you can have 5 VTI interfaces with tunnel-protection enabled. Since they seem to be working using policy based VPN's today, the Azure networks have independent network ranges. All you would have to do is create routes for those networks pointing to the VTI ip address of the other end. Or if you have the ability to run BGP on Azure, this should automatically add routes to the ASA's routing table to send it to the right tunnel.

I tried looking for sample configurations with Azure and the closest I could find was this:

https://www.geekshangout.com/azure-site-to-site-vpn-with-a-cisco-asa-using-asdm/

Hope this helps.

trevstan · ‎03-05-2019

Configure a VTI on the ASA, i had the same issue when i created a ipsec IKEV2 tunnel

Dennis Mink · ‎03-06-2019

Personally I would create the tunnels and establish BGP neighbourship across it and let the azure end advertise the relevant vnets towards your organisation

Please remember to rate useful posts, by clicking on the stars below.