Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

VPN from two PAs to Azure with asymmetrical routing using BGP

L1 Bithead

We have two on-prem data centers connected with dual L3 EVC links between them on our core switches and we are using OSPF for routing. We also have PA firewalls deployed in each location and we are extending OSPF up to them. We are then connected to Azure over each of the PAs over an IPSEC VPN and using BGP and injecting the OSPF routes.


If I disable one of the IPSec tunnels, everything works perfectly.


The issue we are having is that Azure is sending return traffic back to the wrong data center location when both IPSec tunnels are up, then of course the firewall is dropping the traffic.


What is the best way with BGP to have the backup routes available, but make sure the traffic to each data center is for the local subnets in that data center.


For instance:

Data Center 1 -

Data Center 2 -

Azure -


I need to make sure that the VPN from Azure to DC1 has a route to and but the should only be a backup route and should send the traffic to DC2 if that route is available.


Azure should send traffic to to DC2 when that IPSec tunnel is up with a backup route to


What is the process with BGP to force the route(s) that I'm advertising from DC1, which should be a backup route to DC2, to force it to be a backup route to stop the asymmetrical routing?

Who Me Too'd this topic