Quantcast
Channel: Azure Networking (DNS, Traffic Manager, VPN, VNET) forum
Viewing all 6513 articles
Browse latest View live

Not able to ping VMs over ETH1,2 interface in different region and different VNets connected to each other via VNet Peering or VPN Gateway

September 5, 2018, 10:58 pm
$
0
0

Not able to ping VMs over ETH1,2 interface in different region and different VNets connected to each other via VNet Peering or VPN Gateway.

I have one VNet created in West US and another VNet created in Central US.

There are 2 Subnets created in each VNet and 1 VM in each region.

Each VM has two NIC cards associated with it.

ETH0 is having first subnet assigned and ETH2 is having second subnet assigned.

After this created VNet Peering to connect these networks.

I am able to ping eth0 interface from VM1 to VM2 and vice-versa.

But I am not able to ping eth1 interface from VM1 to VM2 and vice versa.

Setup is as below:

  • VNet-1: 10.234.0.0/16
    • Subnet-1: 10.234.1.0/24
      • Eth0 IP: 10.234.1.5/24
    • Subnet-2: 10.234.2.0/24
      • Eth1 IP: 10.234.2.4/24

 

  • VNet-2: 10.235.0.0/16
    • Subnet-1: 10.235.1.0/24
      • Eth0 IP: 10.235.1.5/24
    • Subnet-2: 10.235.2.0/24
      • Eth1 IP: 10.235.2.5/24

Eth0 IPs are reachable across VNets but Eth1 IPs are not reachable across VNets.

I have tried the similar setup using VNet to VNet VPN Gateway also instead of VNet Peering.

Same observation is made there also.

Search

Address pool for Point-To-Site VPN

September 6, 2018, 7:04 am
$
0
0

Hi guys, 

I have address space 172.30.0.0/16 with one VNet subnet 172.30.0.0/24 and Gateway subnet 172.30.1.0/24.

When I configure address pool 172.30.2.0/24 for Point-To-Site VPN I get an error that this range is overlapping with 172.30.0.0/16.

Should address pool for Point-To-Site VPN be outside of address space 172.30.0.0/24?

Regards

NSG not disallowing existing connections

September 6, 2018, 9:43 am
$
0
0

I am working to apply an NSG to a subnet where I have a SQL Managed Instance.  I was able to configure according the MI doc and apply successfully to the subnet where the MI is located.  I am still able to connect to that MI from a LAN-connected workstation using SQL Management Studio and run simple queries.

I added a test Deny Inbound security rule to the NSG which is applied to the SQL MI subnet that denies my LAN-connected IP to the MI.  The existing SQL Management Studio query analyzer remains connected and I'm able to continue to run simple queries.  I am not able to start a new SQL Management Studio connection, nor am I able to modify the database contained in the MI.  I'm also not able to establish a new query analyzer session.  This leads me to believe that the NSG has gone into effect, but the existing session remains open.  

A "netstat -anp tcp" from my workstation shows I'm connecting to the MI subnet on port 1433, which should be blocked with the addition of the inbound security rule.  

My question is:  Does an NSG to disallow inbound traffic not have an effect on existing connections?  

--Greg

Stateful Routing

September 6, 2018, 1:36 pm
$
0
0
Do Azure Load Balancer and/or Application Gateways have stateful routing capability?

Azure VM - ADFS High Availability

September 5, 2018, 9:05 pm
$
0
0

Note: All Windows Server used are version 2012 R2

On-Premise (Existing Infrastructure)

10.10.1.58 - ADFS01

10.10.1.59 - ADFS02

10.10.1.60 - sts.domain.com (Windows Network Load Balance)

Note: There is an existing site to site VPN configured between on-premise and Microsoft azure

Azure - Virtual Machine , This will serve as high availability for ADFS and should be added as member of on-premise Windows Network Load Balance

192.168.10.60 - ADFS03

My issue, when I'm trying to join Azure VM 192.168.10.60 - ADFS03 as member ofon-premise 10.10.1.60 - sts.domain.com (Windows Network Load Balance) theAzure VM 192.168.10.60 - ADFS03 network interface breaks every time and I have to reset the network interface of Azure VM for me to reuse it.

I would like to know if this is a supported scenario? as per reading this post from this link below. Windows Network Load Balance is not supported in Azure. 

https://www.itprotoday.com/microsoft-azure/q-can-i-use-network-load-balancing-feature-azure

https://support.microsoft.com/en-us/kb/2721672?wa=wsignin1.0

https://www.itprotoday.com/microsoft-azure/azure-load-balancer-use-premises-and-azure

is Azure Internal Network Load Balance can be an alternative? what's the concept of implementing this scenario using Azure ILB




Traffic Manager Still Directing traffic to a degraded endpoint

September 6, 2018, 6:34 pm
$
0
0

Hi, I have set up traffic manager with 2 endpoints with Priority routing. Both endpoints are external.

When I disable access to the endpoint with the highest priority, the monitor status changes to degraded as expected. However DNS queries to the traffic manager are still returning the degraded endpoint.

Only when I disable the degraded endpoint does it reply with the secondary address.

I would expect that a degraded endpoint is taken out of the rotation immediately.

Please assist.

Azure - Palo Alto VPN

September 6, 2018, 5:06 pm
$
0
0

Hello, 

Is there a way to extend Palo Alto's VPN Capabilities to Azure? 

We basically have a situation where our VPN is located in Canada but a lot of our users are roaming around the globe. So for them to access our files through VPN means they have to connect to Canada for VPN from wherever they are and then route back to the cloud region closest to them. So that makes things very slow. 

How to verify account

September 23, 2016, 9:40 am
$
0
0

Apparently I can't include an image until my account had been verified...

...But I can't see a link anywhere to allow that to happen.

So: How does one verify an account on these 'ere forums?

Search

Static MAC Address for Azure VM using Loopback NIC?

February 23, 2017, 5:56 am
$
0
0

I'm trying to find out if it's possible to either assign a static MAC address to a NIC of an Azure (ARM) VM or if it's still possible to add a second NIC as a loopback adapter?

A client is using an Azure VM to host a 3rd party application which binds it's license to the VMs MAC address. At the moment the MAC address changes occassionaly which stops the applications from working.

If we can assign a static MAC or use a Loopback adapater (as per some older posts) we can stop this problem from occuring in the future.

Cheers for now

Russell

VPN Gateway Status "Failed" State

September 7, 2018, 5:42 am
$
0
0

Hello,

I update the settings in the VPN P2S configuration and after saving the settings it took a lot of time updating and later the state changed to Failed. Currently, I cannot perform any actions on the VPN Gateway.

Any idea how this can be resolved?

Thanks,

Nabil

Force ASE traffic to pass through an NVA (Firewall)

September 7, 2018, 8:48 am
$
0
0
I have an NVA (Firewall) that I want web app traffic to pass through it. Now my ASE comes with public IP. But traffic will go over the internet directly through azure's backdoor and would not pass through my NVA unless the public IP is attached to my NVA or an LB before the NVA. Would it be possible to do that?

Azure VPN to ASA with 2 WAN Interfaces

September 5, 2018, 7:27 am
$
0
0

I am looking at setting up a VPN connection back to our headquarters from our Azure instance.   Is there a way to set it up to utilize both Public IP Peers on the ASA?   I have it setup route-based to our firewall, but when we failover to the other ISP it goes down.

Any Suggestions?

Thanks,

Tom

Accessing a Service Endpoint from another VNET/subscription/account through VPN Gateway (VNET-to-VNET)

September 10, 2018, 1:52 am
$
0
0

I've created a Document DB Service Endpoint in a VNET in a customer's Azure Subscription. I now want to access this Service Endpoint from a VNET in our subscription. I tried setting up VNET peering but as the subscriptions have different AAD tenants this is not possible. Can I access the Service Endpoint if I set up a VNET-to-VNET connection with a VPN Gateway or is there a limitation when it comes to traffic to Service Endpoints through VPN Gateway?

Thanks

/Fredrik


Azure DNS - Nginx Config Error

September 10, 2018, 12:40 am
$
0
0
So, I have been configuring the DNS : name.centralindia.cloudapp.azure.com, which accommodates running of the Ubuntu 16.05 LTS VM. We want the site to be secured under SSL Certificates, so I have already installed the 'Nginx Server' to do the work back-end. I have configured the Nginx server to point to our Custom DNS, but I'm facing constant issues with the nginx configuration. When we enter into the https/http, I'm getting "Bad Gateway" error or the "Nginx welcome page"or Not found 404 error.


Somehow, With the help of nginx server, we need to point to our DNS with the SSL key which is already installed in the
        ssl_certificate      /etc/ssl/certs/azurevm.crt;
        ssl_certificate_key /etc/ssl/private/azurevm.key;
(These are the self-signed keys generated within Ubuntu but we need to use the key certificate which is generated and stored in the Azure key vault under the name "xxcert" which I cannot find in the ubuntu (var/lib/waagent))

I have also followed this link to secure the web server in Azure : https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-secure-web-server, But this installation is done while booting the VM for the first time but in my case I have already installed the Vm. 

This is my default configure under /etc/nginx/sites-available/default (not made any changes in site-enabled/default):
 
Default server configuration

    server {
    listen 80 default_server;
    listen [::]:80 default_server;
    return 301 https://$host$request_uri;
    }
    server {
    # SSL configuration
    #
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    #
    # Note: You should disable gzip for SSL traffic.
    # See: https://bugs.debian.org/773332
    #
    # Read up on ssl_ciphers to ensure a secure configuration.
    # See: https://bugs.debian.org/765782
    #
    # Self signed certs generated by the ssl-cert package
    # Don't use them in a production server!
    #
    # include snippets/snakeoil.conf;

    root /var/www/html; 
    index index.html index.htm index.nginx-debian.html;

    server_name name.centralindia.cloudapp.azure.com;

    ssl on;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";

    # ssl_certificate           /etc/nginx/ssl/vmcert.pem;
    # ssl_certificate_key       /etc/nginx/ssl/vmcert.key;
    ssl_certificate      /etc/ssl/certs/azurevm.crt;
    ssl_certificate_key  /etc/ssl/private/azurevm.key;


    location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;

    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;

    # Fix the “It appears that your reverse proxy set up is broken" error.
    proxy_pass          http://localhost:8000;
    proxy_read_timeout  90;
    proxy_redirect      http://localhost:8000 
    http://name.centralindia.cloudapp.azure.com;} )

       

ASA5516 9.8(2) IKEv2 (no BGP) site to site connection with Azure fails

September 10, 2018, 8:51 am
$
0
0

I have a Azure subscription, with a virtual network where the gateway subnet is 172.26.0.0/27, and then I have a number of subnets, e.g. 172.26.1.0/24, 172.26.2.0/24, 172.26.3.0/24, ....

On the router side I have configured the network objects for 172.26.0.0/27 and 172.26.1.0/24.

The local network is 10.0.0.0/8.

This is the configuration I have used to setup the site to site connection on the router:

object network HQ-LAN
subnet 10.0.0.0 255.0.0.0
description The HQ LAN
object network AzureLabNet-LAN
subnet 172.26.1.0 255.255.255.0
description The Azure AzureLabNet LAN range
object network AzureLabNet-Gateway
subnet 172.26.0.0 255.255.255.224
object-group network AzureLabNet-network
description Azure AzureLabNet Virtual Network
network-object object AzureLabNet-LAN
network-object object AzureLabNet-Gateway
object-group network HQ-network
description HQ on-premises Network
network-object object HQ-LAN

access-list azure-vpn-acl extended permit ip object-group HQ-network object-group AzureLabNet-network log notifications 
nat (LAN,INTERNET) source static HQ-network HQ-network destination static AzureLabNet-network AzureLabNet-network no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup

crypto map CRYPTO-MAP 1 match address azure-vpn-acl
crypto map CRYPTO-MAP 1 set peer 40.a.b.c 
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal AZURE-TRANSFORM-2
crypto map CRYPTO-MAP 1 set ikev2 pre-shared-key ********
crypto map CRYPTO-MAP 1 set security-association lifetime seconds 3600
crypto map CRYPTO-MAP 1 set nat-t-disable
crypto map CRYPTO-MAP interface INTERNET

crypto ca trustpool policy

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800

crypto ikev2 enable INTERNET

group-policy AzureGroupPolicy internal
group-policy AzureGroupPolicy attributes
vpn-tunnel-protocol ikev2

dynamic-access-policy-record DfltAccessPolicy
tunnel-group 40.a.b.c type ipsec-l2l
tunnel-group 40.a.b.c general-attributes
default-group-policy AzureGroupPolicy
tunnel-group 40.a.b.c ipsec-attributes
ikev2 remote-authentication pre-shared-key ********
ikev2 local-authentication pre-shared-key ********
no tunnel-group-map enable peer-ip
tunnel-group-map default-group 40.a.b.c

sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows

 

The connection seems to reach the point where a IKEv2 tunnel is setup, but then the tunnel get rejected with the following error:

 

3 Sep 10 2018 14:39:38 751022     Local:80.x.y.w:500 Remote:40.a.b.c:500 Username:40.a.b.c IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!

 

In debug, I found:

 

IKEv2-PROTO-2: (404): Processing IKE_AUTH message
IKEv2-PLAT-2: (404): Crypto Map: No proxy match on map CRYPTO-MAP seq 1
IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404): Received Policies:
ESP: Proposal 1: AES-GCM-256 Don't use ESN

ESP: Proposal 2: AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 3: 3DES SHA96 Don't use ESN

ESP: Proposal 4: AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 5: AES-CBC-128 SHA96 Don't use ESN

ESP: Proposal 6: 3DES SHA256 Don't use ESN

IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404): Expected Policies:
IKEv2-PROTO-5: (404): Failed to verify the proposed policies
IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404):

 

and also:

IKEv2-PROTO-5: (237): SM Trace-> SA: I_SPI=8D624530AA96162A R_SPI=4A613765BD92DF8F (I) MsgID = 00000004 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-2: (237): Deleting SA
IKEv2-PROTO-1: session is not there in tree
IKEv2-PLAT-2:
CONNECTION STATUS: DOWN... peer: 40.a.b.c:500, phase1_id: 40.a.b.c
IKEv2-PLAT-2: (237): IKEv2 session deregistered from session manager. Reason: 6
IKEv2-PLAT-2: (237): session manager killed ikev2 tunnel. Reason: IKE Delete
IKEv2-PLAT-2: (237): PSH cleanup
IKEv2-PLAT-5: Active ike sa request deleted
IKEv2-PLAT-5: Decrement count for incoming active
IKEv2-PLAT-2: (404): Encrypt success status returned via ipc 1
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xAA15ED6E error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xFBC930C6 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xDA2A46C2 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x2EDA754D error FALSE

 

Any suggestion on how to fix this?

Search

Azure VPN Connection

September 10, 2018, 8:49 am
$
0
0

HI All,

I have created a web app in azure.
I need to set up a vpn connection for this web APP fro a client on a private network which i have all connection details,

Steps carried out so far.

1. I have created a virtual network vnet within the webapp

2. Then a virtaul network gateway was created.

Do I need to set up the local network gateway so that my clients network can access this web app via vpn connection or can you guide me in the correct connection 

Thanks

Mark 

Marcus

Azure Container Instance Outbound IP

September 10, 2018, 11:00 am
$
0
0

Hi,

I'm trying to configure a container instance with a static IP, but the IP showed at the container overview is not the same as the outbound IP. Is there any way to find a list of IP addresses used by the container instance? Furthermore, I read on SO that it is not yet possible to assign a static public IP to a container instance, is there a timeline available for when this feature is released? 

Remote user connection to Azure Via ExpressRoute

September 10, 2018, 12:31 pm
$
0
0

Hello experts,

I just need a validation (I seem to have a mental gap)

For external (not presently on the on-premise network) users trying to connect to a VM in azure on an ExpressRoute Circuit.

1.if they use a VPN client to tunnel into the On-premise network (Cisco anywhere for instance), can they use that same VPN connectivity to get into the ExpressRoute circuit and then connect to Azure?

2. Can Point-to-Site Connectivity work in a set up where you have both Azure ExpressRoute and Site-to-Site VPN?

Multi Container Service Fabric with Application Gateway

September 11, 2018, 12:19 am
$
0
0
Hi, We have a specific requirement, We are deploying our application on Service Fabric Container's in Azure. For our each
 client we are creating the separate container on the Service Fabric. Service Fabric itself has the public facing load balancer. Now each container has individual port number, I have opened the port in the Load Balancer and able to access the container's with
 this https://<Load Balancer IP>:Containerport it's working fine. For providing the security we need to use the Application gateway in front of Load Balancer. Our application only allow traffic from https port 443, requirement is below.

we wanted to transfer the 443 traffic with the path base routing in the application gateway to the specific container on
 the service fabric.

all traffic should be only receive from port 443, after that with path base rule we need to transfer it to the specific container.
 eg https://1.1.1.1/client1 to container1 https://1.1.1.1/client2 to container2

Can please help me to configure the application for this requirement.


Publishing ASE rules

September 11, 2018, 11:56 pm
$
0
0

Hi,

I have an ASE that I want to host non externally published end points on.

However I need a Web App within the ASE will need to be public facing (Ip restricted though to known IP's) due to no Express route connectivity.

My logical path is;

Public App Gateway>VNET (NSG Rules) with Web App in>VNET (with functions in) + SQL via VNET SI

Will this create a DMZ and more importantly work :) ?

Do i use Vnet Peering for VNET with Web App to Vnet with Functions in?


Viewing all 6513 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>