locked
VPN Tunnel is established but inside connections flaps work ~5 minutes and ~5 minutes not RRS feed

  • Question

  • Hi together,

    for some research using Azure at my employer, I've connected a FritzBox 7490 via an Site-2-Site-VPN created via Ressource-Manager to the Azure VPN Gateway successfully.

    But even the tunnel is and stays established and shows no Errors (both products deliver only very limited logs...), a ping from 192.168.178.11 to 10.0.0.4 works for ~5 minutes and than times out ~5 minutes and comes back for ~4-5 minutes and times out and so on and so on...

    Does anybody have a glue what that could be? It looks like that after an session of quirks mode it suddenly doesn't work.

    Can it be that the Phase 2 proposals are not optimal fitting each other?

    The tunnel still shows established than...

    Best regards

    Peter

    Thursday, December 22, 2016 7:09 AM

All replies

  • Hi,

    Thank you for contacting Microsoft forums. We are pleased to answer your query.

     I see that the query or issue needs a further deeper dive technically. I recommend you to create a technical support ticket.

    The ticket enables you to work closely with the support engineers and get a quick resolution for your issue.

    Regards,

    Vijisankar

    • Proposed as answer by vijisankar Friday, December 23, 2016 6:27 PM
    • Unproposed as answer by Peter Richardt Thursday, December 29, 2016 8:58 AM
    Thursday, December 22, 2016 7:56 PM
  • Hi Vijinsankar,

    thanks for your Feedback. I thought maybe already someone already had this Special configuration in place.

    Best regards and happy Holidays

    Peter

    Friday, December 23, 2016 5:37 PM
  • Hi Peter,

    I have the same problem connecting my FritzBox 7490 and Azure Policy Based Gateway over L2PT / IPSec. Round about 30% of PINGs extend in timeouts, although my vpn connection is successfully established.

    Could you find a solution?

    Moreover I have a DNS resolution Problem, it seems to be, that my via vpn (shortly) connected cannot look up the name resolution through the tunnel - even though I added my DNS Server to my FritzBox and opened the Ports TCP and UDP 53 to VirtualNetwork in Azure and on the DNS MS Firewall.

    Did you have the same problem?

    Best regards

    Nadimo

    Thursday, June 22, 2017 3:46 PM
  • Hi Nadimo,

    I solved it now with another vpn endpoint (and tried many):

    pfsense as a Azure Virtual Machine

    I can give you more informations, if you want. It's also a little bit tricky

    Regarding DNS

    1. No, I didn't have such problems
    2. can you ping (icmp) via the tunnel?
    3. have you configured the fritzbox dns rebound protection?
    4. can you connect to your dns server via nslookup and ask for e.g. google.com?

    Best regards

    Peter

    Thursday, June 22, 2017 8:23 PM
  • Hi Peter,

    thanks a lot for your reply! So you give up with the azure “default” solution and changed over to external tools, I feared it.

    Before I tried to establish a VPN Connection to RRAS on a Virtual Machine in azure (over L2TP). There I had issues with the Protocol 50 and the azure firewall, while connecting I got Error 791 (The L2TP connection attempt failed because security policy for the connection was not found) – how I supposed a IPSec (so Protocol 50) error.

    SSTP (over azure Gateway and RRAS) works fine, stupidly not the connection type I need…

    So I will try to connect my azure network with pfsense, I’m grateful for every suggestion you can make regarding this! – I lost a lot of time trying to establish a S2S Connection… :/

    Were there any stumbling blocks while pfsense integration?

     

    Regarding DNS

    (Re: 2): I can ping via ICMP without any problem

    (Re: 3): I added “fritz.box” to rebind protection and set the IPv4 of my DNS as Preferred DNS and the DNS of my internet provider as alternate DNS

    (Re: 4): While I checked nslookup I pinged permanently the DNS (10.0.0.6) in another console, the connection was established.

    So I looked up a local (serv001.ad.<contoso.com>) and a global DNS (google.com), both returned Unknown Server and a DNS request “time out”. My virtual server among themselves have no problem resolving their addresses. That the server are able to resolve each others DNS shows, that the firewall(s) should be configured correctly, right? Maybe I have to add, there is no IP filter in the Windows Firewall rules for UDP/TCP 53.

    And Azure it looks like that:

    (Name / Source / Destination / Service / Action)

    1. DNS-IN1 / VirtualNetwork / Any / DNS (TCP/53) / Allow
    2. DNS-IN2 / VirtualNetwork / Any / DNS (UDP/53) / Allow
    3. DNS-OUT1 / Any / VirtualNetwork / DNS (TCP/53) / Allow
    4. DNS-OUT2 / Any / VirtualNetwork / DNS (UDP/53) / Allow

    Do you have a different azure firewall configuration (concerning DNS)?

     

    Best regards and many thanks!!!

     

    Nadimo

    Friday, June 23, 2017 10:12 AM
  • I tried various VPN Gateways as virtual machines from other vendors.

    The best (because of logging and "debugging" functions) free version was pfSense from Netgate

    Using the following guide gave me the idea, that it could function:

    https://znil.net/index.php?title=FritzBox_-_Site_to_Site_VPN_zu_pfSense_2.2

    At least I had to figure out, why "no proposal choosen" as error message occured.

    It was because the DH-Group was choosen wrong on the pfsense (only 768 Bit - the FritzBox had 1024).

    FritzBox

    pfSense

    ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ

    ESP:AES_CBC_256/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ

    ESP:AES_CBC_192/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ

    ESP:AES_CBC_192/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ

    ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ

    ESP:AES_CBC_128/HMAC_SHA1_96/MODP_768/NO_EXT_SEQ

    ESP:3DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ

     

    ESP:DES_CBC/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ

     

    ESP:AES_CBC_256/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ

     

    ESP:AES_CBC_192/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ

     

    ESP:AES_CBC_128/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ

     

    ESP:3DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ

     

    ESP:DES_CBC/HMAC_MD5_96/MODP_1024/NO_EXT_SEQ

     

    After changing the pfSense to 1024, the VPN Tunnel was established in seconds.

    Refresh automatically the dyndns IP address of the fritz box in Azure

    Links

     https://blog.webernetz.net/2015/03/11/fritzos-ab-06-23-ipsec-p2-proposals-erweitert/

    http://www.netinvent.com.au/node/49

    http://faq.fuchs-kiel.de/content/25/366/de/avm_fritzos-ike-parameter-fritzos-604.html

    https://blog.webernetz.net/2013/12/02/ipsec-site-to-site-vpn-juniper-screenos-avm-fritzbox/

    https://bskies.io/vpn-verbindung-zu-azure-mit-fritzbox-und-dynamischer-ip-update-gatewayip-ps1


    Monday, June 26, 2017 6:25 PM
  • Hi Peter,

    many thanks for your reply! J I‘ll try to implement this solution as soon as possible, due to a lot of other work this will be at weekend, at the earliest :/ .

    I’ll report again as soon as possible.

     

    Thanks again!

    Nadimo

    Wednesday, June 28, 2017 8:46 AM