06-24-2020 10:27 PM
Hello all,
I have set up a PAN cluster in an Azure environment and also extended the Active Directory domain controllers in Azure (configure site links and AD AD replication with Virtual Machines in Azure), I have Azure ExpressRoute in middle and all traffic from on-prem is routed via the PAN cluster.
Now the issue I'm experiencing is that, on-prem workstation (even via VPN/VDI connectivity) are trying to the connect the Active Directory domain controllers in Azure,however, if the traffic routing from on-prem to Azure via the PAN is disable this issue doesn't occur...please what could be the problem
07-16-2020 02:44 PM
Based on the information provided, it is most likely an asymmetric route.
By default, Azure propagates the VNET routes to the ExpressRoute gateway. These routes do not use the VM-Series as the next hop.
If intent is to send traffic from ExpressRoute to the VM-Series, then the GatewaySubnet must have a User Defined Route that points to the firewall. Likewise, the AD server subnet's in Azure must also have a UDR that points to VM-Series. You can disable route propagation between the GatewaySubnet and AD subnet by disabling BGP route propagation within their Azure route tables.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
