question

JakobBrandt-0104 avatar image
0 Votes"
JakobBrandt-0104 asked msrini-MSFT commented

Route-metric in Azure P2S VPN

We have the following setup in our environment:


Azure VPN Gateway

S2S-VPN between gateway and our on-premise datacentre.

P2S-VPN between gateway and clients.

This P2S VPN is configured with AAD-authentication and the VPN profile is assigned to a client via Intune and XML-configuration.

I have attached a stripped down version of our .xml with information that is not sensitive. (azurevpn.xml). It's in the zipped file.


This setup is working overall fine, we add some routes to direct the traffic to the right place.


We also have a management-VPN deployed that some of our employees use to get access to our network equipment and other administrative devices. This is a Cisco Anyconnect VPN.

When connected to both this VPN-profile and the AzureVPN it let's them traverse both the management-net and the "customer"-net and let's them query DNS in both nets.


The Anyconnect-VPN just as the AzureVPN has routes assigned to it, which when connected, one of the routes gets assigned a metric of 35.

When then the P2S-VPN is connected it assigns the metric 311 on the same route. 311 seems to be the "default" metric on the routes specified in our .xml.

This causes the issues in our case and we need to assign a metric lower then 35 to the P2S-route.


Is there any way to assign a metric to a route that we push with the .xml?


According to the Microsoft Docs here Create an Intune profile for Azure VPN clients - Azure VPN Gateway | Microsoft Docs which links to this Docs https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp

says you are able to do this.

However if we try to add for example "<metric>25</metric> to the xml this gets ignored on the client.

I have attached a section of the AzureVpnCxn.log which is stripped of sensitive information where this can be seen.


Please advice

azure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

msrini-MSFT avatar image
1 Vote"
msrini-MSFT answered msrini-MSFT commented

Hi JakobBrandt-0104,

I am not really sure how you can change the metric from the XML. But I can suggest you to change the metric to the lower value from the interface of the machine in guest OS level.

Once you modified the metric, and when you pull in the system routes, you should see Azure route taking precedence

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ok,
Yes we can change the route on the OS-level with powershell/cmd, this does not however help the problem unfortunately.
Since the route is not persistent it only helps on that particular session. You have to do the same command every time you connect the VPN which is not a workable solution

0 Votes 0 ·

Unfortunately you cannot configure the metric parameter via the XML as of today. Please raise a UserVoice request to get that feature added.

As I mentioned earlier, you can control it via Guest OS level and you can set it to persistence by added -p to the command.

0 Votes 0 ·

Copy that, thanks for the information.

0 Votes 0 ·
Show more comments
JakobBrandt-0104 avatar image
0 Votes"
JakobBrandt-0104 answered JakobBrandt-9660 commented

The zipped file didnt get attached, here it is (both log and xml in same file) 93233-azurevpn.xml



azurevpn.xml (6.0 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JakobBrandt-0104 Upong some inevstiation, I do not think adding a route with a lower metric world work, rather please try adding a more specific route and I think that should work. Please let me know once you try adding it. Thank you!

0 Votes 0 ·

Please elaborate, what do you mean with a more specific route?
It is a /32 route, dont know how I can make that more specific?? :)

The question really is if there even is a way to add metrics to the routes that we push. And how do i specify that in the XML?

0 Votes 0 ·