question

sundram090-4866 avatar image
0 Votes"
sundram090-4866 asked Rishabhmishra-9205 edited

Adding new subnet in site to site

Hello Everyone,
We have a site to site to connection in our environment. In the environment only one subnet from on-prem is able to connected to VPN.
We had to add another subnet from the environment. So We have added that subnet in the Local Network Gateway.

Need to the understand

  • Is there any configuration required to do on the on premise environment or in azure after routing configuration.

  • What troubleshooting needs to be done in the on-premise environment.

Please provide your suggestions.

Thanks for your help!



azure-vpn-gateway
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @sundram090-4866 ,

Could you please provide an update on this issue and share the requested details for further discussion?

Regards,
Gita

0 Votes 0 ·
LuisRodriguez-MSFT avatar image
0 Votes"
LuisRodriguez-MSFT answered

Hello @sundram090-4866

Welcome to Microsoft Q&A Platform.

This could be a traffic selectors issue, what's the VPN type? (policy based / route based)
You can try to enable "Use policy based traffic selector" option. You will find this option under the connection configuration page on the Azure Portal.

More info about VPN types and and traffic selectors below:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

If you use ACLs on the on-premise side you have to be sure that the traffic for the new subnet is allowed

Please check the thread below as it's related to the same topic:
https://docs.microsoft.com/en-us/answers/questions/174192/azure-vpn-connectivity-s2s.html

I hope this helps!


Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi there,

Yes to configure a multisite deployment, there are a number of steps required to modify network infrastructure settings including configuring additional Active Directory sites and domain controllers, configuring additional security groups, and configuring Group Policy Objects (GPOs) if you are not using automatically configured GPOs.

Here is a link for a detailed description of the process that you must follow.

Step 2 Configure the Multisite Infrastructure https://docs.microsoft.com/en-us/windows-server/remote/remote-access/ras/multisite/configure/step-2-configure-the-multisite-infrastructure

In the below thread you can find the impacts of making subnets on ad sites and services
Creating a new site and adding subnets on ad sites and services https://social.technet.microsoft.com/Forums/en-US/dd8f4ed2-40dd-44e4-b812-c44498142584/creating-new-site-and-add-subnets-on-ad-sites-and-services?forum=winserverDS



--If the reply is helpful, please Upvote and Accept it as an answer–

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sundram090-4866 avatar image
0 Votes"
sundram090-4866 answered GitaraniSharmaMSFT-4262 commented

Thanks Guys for your help!

While doing this troubleshooting we ran into another issue with our working subnet. Now we are getting around 94% ping lost with the working subnet.
Please suggest what could be possible issue and its resolution.

VPN Type : Route Based
IKEv1

![197696-image.png][1]



image.png (35.9 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @sundram090-4866 ,

Could you please validate if you have any overlapping address spaces between Azure and yoiur on-premises network?

Also, I see that you are using IKEv1 Route based VPN. Could you please confirm if you have enabled "UsePolicyBasedTrafficSelectors"? If yes, then please ensure that your VPN device has the matching traffic selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the Azure virtual network prefixes, instead of any-to-any.
Refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto#does-everything-need-to-match-between-the-azure-vpn-gateway-policy-and-my-on-premises-vpn-device-configurations

Also, if your route based IKEv1 connection is disconnecting at routine intervals, it is likely due to VPN gateways not supporting in-place rekeys. And the recommendation to prevent these reconnects, you can switch to using IKEv2, which supports in-place rekeys.
Refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto#why-is-my-ikev1-connection-frequently-reconnecting

Regards,
Gita

0 Votes 0 ·

Hello @sundram090-4866 ,

Could you please provide an update on this issue and share the requested details for further discussion?

Regards,
Gita

0 Votes 0 ·
LuisRodriguez-MSFT avatar image
0 Votes"
LuisRodriguez-MSFT answered

Hi @sundram090-4866

Can you reset the VPN gateway and check if the issue gets fixed?

If not please check MSS/MTU values configured (please note that you must clamp TCP MSS at 1350. Or if your onpremise VPN devices do not support MSS clamping, you can alternatively set the MTU on the tunnel interface to 1400 bytes instead).

You can check the Azure VPN Gateway logs, paying special attention to the IKE logs:
https://docs.microsoft.com/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics

Thank you

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Rishabhmishra-9205 avatar image
0 Votes"
Rishabhmishra-9205 answered Rishabhmishra-9205 edited

Hi @Sundarm090-4866

Can you please share your on premise VPN gateway vendor? Is it policy based VPN or route based?

Thanks
Rish

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.