cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

On-prem connect with S2S VPN to Azure - Mobile users on P2S to Azure cannot connect to on-prem

Adam Weldon-Ming
Brass Contributor

‎Aug 17 2020 04:53 AM - edited ‎Aug 17 2020 08:35 AM

‎Aug 17 2020 04:53 AM - edited ‎Aug 17 2020 08:35 AM

On-prem connect with S2S VPN to Azure - Mobile users on P2S to Azure cannot connect to on-prem

Hello 

 

Thanks for taking your time to read this if you've got this far :) 

CURRENT SETUP
We have a on-prem network that is connected to Azure using a Site to Site VPN  
On-prem can communicate with Azure, and Azure back to on-prem. No worries. 

 

We have mobile users (out of the office where the above S2S is configured) that connect to Azure using Point to Site VPN. - Point to Site users can access Azure no worries. 

 

PROBLEM 
Users that are using the P2S VPN cannot communicate through the VPN down to the on-prem network resources (which are connected using S2S VPN as described above. 

---------------------

 

Is there something obvious that is missing?  We have not put in a route table, we have not set any static routes either.  As per this article https://docs.microsoft.com/en-us/azure/vpn-gateway/work-remotely-support Scenario 2 - We would assume it would just work, but I am guessing we need to add some sort of static route somewhere. 

Just not sure where I should be looking to be able to communicate all the way through from mobile user on P2S to on-prem connect via S2S.

Labels:
1,893 Views
1 Like
2 Replies
Reply
2 Replies
best response confirmed by Adam Weldon-Ming (Brass Contributor)
Adam Weldon-Ming

‎Aug 17 2020 08:33 AM

‎Aug 17 2020 08:33 AM

Solution

Re: On-prem connect with S2S VPN to Azure - Mobile users on P2S to Azure cannot connect to on-prem

I was able to figure this out in the end: 

 

Once you download the P2S (Client) VPN Config file from the Azure Portal, and install it to set up your P2S VPN.

You're able to see that the routes that Azure VPN can connect to by finding this TXT file in: 

%appdata%\Microsoft\Network\Connections\Cm\<some id>\routes.txt 
 
2020-08-17 16_21_08-James and Niels _ Microsoft Teams.png
 
2020-08-17 16_22_41-James and Niels _ Microsoft Teams.png
 
Our on-prem route was not inside this text file - 
 
  1. We could manually add the on-prem route to this file and our P2S VPN would be able to then contact on-premise - However we needed a way to always include this route, as if a new user installs this (or you deploying to a lot of users) it would make sense to try have it in there before. 
  2. To then include our route automatically we advertised the route (with the local IP of the on-prem) to the Virtual Network gateway. To do this: 

    1. Connect to Azure PowerShell (I use cloud shell as work in different tenants) 
    2. Run the following below: 

 

$gw = Get-AzVirtualNetworkGateway -Name <name of gateway> -ResourceGroupName <name of resource group>

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -CustomRoute xx.xx.xx.xx/xx

 

This took about 5 mins to run. 

Once it has run, we deleted the current VPN on the machine, downloaded the new VPN profile and installed it. When we then checked the txt file, the new route was inside of the .txt file. 


This article helped me: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes

 

Hope this helps someone who comes across the same problem :) 

 

Adam. 

1 Like
Reply
J-La026

‎Oct 31 2023 04:04 AM

‎Oct 31 2023 04:04 AM

Re: On-prem connect with S2S VPN to Azure - Mobile users on P2S to Azure cannot connect to on-prem

@Adam Weldon-Ming 

Hi!

I am having this exact setup and trying to configure so that P2S users can access resources over at S2S end. I have tried the below solution that you provided but it wont work for me. The onprem net is advertised in the Azure VPN client but still it seems its not routing. Onprem firewall does not see any incoming ICMP. Any suggestions what more I could look at? S2S is working and onprem can access VM at Azure. Also P2S can access VM at Azure and from that VM ofcourse access S2S.

Thanks

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Adam Weldon-Ming (Brass Contributor)
Adam Weldon-Ming

‎Aug 17 2020 08:33 AM

‎Aug 17 2020 08:33 AM

Solution

Re: On-prem connect with S2S VPN to Azure - Mobile users on P2S to Azure cannot connect to on-prem

I was able to figure this out in the end: 

 

Once you download the P2S (Client) VPN Config file from the Azure Portal, and install it to set up your P2S VPN.

You're able to see that the routes that Azure VPN can connect to by finding this TXT file in: 

%appdata%\Microsoft\Network\Connections\Cm\<some id>\routes.txt 
 
2020-08-17 16_21_08-James and Niels _ Microsoft Teams.png
 
2020-08-17 16_22_41-James and Niels _ Microsoft Teams.png
 
Our on-prem route was not inside this text file - 
 
  1. We could manually add the on-prem route to this file and our P2S VPN would be able to then contact on-premise - However we needed a way to always include this route, as if a new user installs this (or you deploying to a lot of users) it would make sense to try have it in there before. 
  2. To then include our route automatically we advertised the route (with the local IP of the on-prem) to the Virtual Network gateway. To do this: 

    1. Connect to Azure PowerShell (I use cloud shell as work in different tenants) 
    2. Run the following below: 

 

$gw = Get-AzVirtualNetworkGateway -Name <name of gateway> -ResourceGroupName <name of resource group>

Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -CustomRoute xx.xx.xx.xx/xx

 

This took about 5 mins to run. 

Once it has run, we deleted the current VPN on the machine, downloaded the new VPN profile and installed it. When we then checked the txt file, the new route was inside of the .txt file. 


This article helped me: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes

 

Hope this helps someone who comes across the same problem :) 

 

Adam. 

View solution in original post

1 Like
Reply