R81.20 VSX VTI routing

Ninjawalsh — Fri, 16 Feb 2024 21:05:04 GMT

Hi ,

This my first post so apologies if I don't follow the expected etticate while I get used to the forum.

Anyway the issue I have created a routed VPN to Azure for our orgs new Remote client VPN . As I can see the VTI tunnels are working . However , outbound traffic routes to the wrp external interface . The logs stat traffic is encrypted by the community. Also traffic does get to the Azure infrastructure. The reason for my post is the logs for inbound traffic from the Azure side show the traffic hitting the VTI tunnel .

Is this normal behaviour ?

Re: R81.20 VSX VTI routing

the_rock — Mon, 19 Feb 2024 02:11:19 GMT

Let me take a "stab" at it, as the saying goes. So, Im fairly experienced with tunnels to Azure, I had helped lots of customers with it, plus had done extensive testing in the lab as well.

So, I have some question for ya.

1) is this numbered or unnumbered VTI?

2) Regardless what answer is to question1 (though it is somewhat important), can you please share how the route is configured for the subnet on Azure side? (please blur out any sensitive info)

3) As far as topology in smart console, this is SUPER IMPORTANT and it has to be correct...make sure anti-spoofing is disabled and actual remote peer matched EXACTLY how its configured in smart console interoperable object.

4) Is remote peer external IP added to be exmpred for anti spoof checks on external interface? Because if not, it should be

5) Do you have a route to external IP of the peer with default gateway of your upstream router IP?

Thats all I can think of for now.

Best,

Andy

topic R81.20 VSX VTI routing in Firewall and Security Management

R81.20 VSX VTI routing

Re: R81.20 VSX VTI routing