App service not working with on-premises VPN












0















I've been trying to set up an App Service which communicates with a server in our on-premises environment. I've set up everything regarding VNET, Local network gateway, Virtual network gateway, Point-to-Site and so on. I've also set up a Linux VM to enable testing, the VM can communicate with on-prem and on-prem reaches our VM.



I also connected the app service to the VNET and it is able to tcpping the VM. But I can't get the app service to communicate with the on-prem service.



In the App Service Plan everything looks normal, I can see all the subnets, site-to-site, point-to-site and that the certificates are in sync.



But when I look at the Networking for the App Service it does not show as connected and Azure says that the certificates are not in sync. Could this be one of the reasons why the App Service and the on-prem can't communicate? Do I have to add routes for the Point-to-Site to the on-prem network?



Image - Networking - App Service Plan



Image - Networking - App Service



Image - Networking - Vnet Integration






azure azure-web-app-service azure-virtual-network vnet







share|improve this question

























  • May I know if there is an update on your side?

    – Nancy Xiong
    Nov 13 '18 at 8:04











  • @NancyXiong-MSFT Everything is working now, I spoke with IT and they had apparently missed some settings in their FW which blocked all request from the App but only some from the VM in the VNET.

    – Crib
    Nov 13 '18 at 9:24
















0















I've been trying to set up an App Service which communicates with a server in our on-premises environment. I've set up everything regarding VNET, Local network gateway, Virtual network gateway, Point-to-Site and so on. I've also set up a Linux VM to enable testing, the VM can communicate with on-prem and on-prem reaches our VM.



I also connected the app service to the VNET and it is able to tcpping the VM. But I can't get the app service to communicate with the on-prem service.



In the App Service Plan everything looks normal, I can see all the subnets, site-to-site, point-to-site and that the certificates are in sync.



But when I look at the Networking for the App Service it does not show as connected and Azure says that the certificates are not in sync. Could this be one of the reasons why the App Service and the on-prem can't communicate? Do I have to add routes for the Point-to-Site to the on-prem network?



Image - Networking - App Service Plan



Image - Networking - App Service



Image - Networking - Vnet Integration






azure azure-web-app-service azure-virtual-network vnet







share|improve this question

























  • May I know if there is an update on your side?

    – Nancy Xiong
    Nov 13 '18 at 8:04











  • @NancyXiong-MSFT Everything is working now, I spoke with IT and they had apparently missed some settings in their FW which blocked all request from the App but only some from the VM in the VNET.

    – Crib
    Nov 13 '18 at 9:24














0












0








0








I've been trying to set up an App Service which communicates with a server in our on-premises environment. I've set up everything regarding VNET, Local network gateway, Virtual network gateway, Point-to-Site and so on. I've also set up a Linux VM to enable testing, the VM can communicate with on-prem and on-prem reaches our VM.



I also connected the app service to the VNET and it is able to tcpping the VM. But I can't get the app service to communicate with the on-prem service.



In the App Service Plan everything looks normal, I can see all the subnets, site-to-site, point-to-site and that the certificates are in sync.



But when I look at the Networking for the App Service it does not show as connected and Azure says that the certificates are not in sync. Could this be one of the reasons why the App Service and the on-prem can't communicate? Do I have to add routes for the Point-to-Site to the on-prem network?



Image - Networking - App Service Plan



Image - Networking - App Service



Image - Networking - Vnet Integration






azure azure-web-app-service azure-virtual-network vnet







share|improve this question
















I've been trying to set up an App Service which communicates with a server in our on-premises environment. I've set up everything regarding VNET, Local network gateway, Virtual network gateway, Point-to-Site and so on. I've also set up a Linux VM to enable testing, the VM can communicate with on-prem and on-prem reaches our VM.



I also connected the app service to the VNET and it is able to tcpping the VM. But I can't get the app service to communicate with the on-prem service.



In the App Service Plan everything looks normal, I can see all the subnets, site-to-site, point-to-site and that the certificates are in sync.



But when I look at the Networking for the App Service it does not show as connected and Azure says that the certificates are not in sync. Could this be one of the reasons why the App Service and the on-prem can't communicate? Do I have to add routes for the Point-to-Site to the on-prem network?



Image - Networking - App Service Plan



Image - Networking - App Service



Image - Networking - Vnet Integration






azure azure-web-app-service azure-virtual-network vnet




azure azure-web-app-service azure-virtual-network vnet






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 12 '18 at 18:48









David Makogon

56.4k15104151




56.4k15104151










asked Nov 12 '18 at 16:22









CribCrib

11




11













  • May I know if there is an update on your side?

    – Nancy Xiong
    Nov 13 '18 at 8:04











  • @NancyXiong-MSFT Everything is working now, I spoke with IT and they had apparently missed some settings in their FW which blocked all request from the App but only some from the VM in the VNET.

    – Crib
    Nov 13 '18 at 9:24



















  • May I know if there is an update on your side?

    – Nancy Xiong
    Nov 13 '18 at 8:04











  • @NancyXiong-MSFT Everything is working now, I spoke with IT and they had apparently missed some settings in their FW which blocked all request from the App but only some from the VM in the VNET.

    – Crib
    Nov 13 '18 at 9:24

















May I know if there is an update on your side?

– Nancy Xiong
Nov 13 '18 at 8:04





May I know if there is an update on your side?

– Nancy Xiong
Nov 13 '18 at 8:04













@NancyXiong-MSFT Everything is working now, I spoke with IT and they had apparently missed some settings in their FW which blocked all request from the App but only some from the VM in the VNET.

– Crib
Nov 13 '18 at 9:24





@NancyXiong-MSFT Everything is working now, I spoke with IT and they had apparently missed some settings in their FW which blocked all request from the App but only some from the VM in the VNET.

– Crib
Nov 13 '18 at 9:24












1 Answer
1






active

oldest

votes


















0














If the Networking for the App Service is working well it should show as connected and the certificates are in sync. One or more of the possible actions you could try:




  • Avoid picking IP address space that overlaps with other networks.


  • When the Site to Site VPN is first set up then the scripts used to configure it should set up routes including your Point-to-Site VPN. If you add the Point-to-Site VPN after you create your Site to Site VPN, then you need to update the routes manually.


  • If those certificates or network information is changed, then you need to click Sync Network to forcibly sync the certificate to ensure the security of the connection. NOTE: When you click Sync Network then you cause a brief outage in connectivity between your app and your VNet. While your app is not restarted, the loss of connectivity could cause your site to not function properly.



You can get more details from the VNet Integrations.



Update



If your VNet hosted VM can reach your on-premises system but your app can't then the reason is likely one of the following:





  • your routes are not configured with your point to site IP ranges in your on-premises gateway

  • your network security groups are blocking access for your Point-to-Site IP range

  • your on-premises firewalls are blocking traffic from your Point-to-Site IP range

  • you have a User Defined Route(UDR) in your VNet that prevents your Point-to-Site based traffic from reaching your on-premises network







share|improve this answer


























  • Thank you for your reply! Regarding your second point, Point-to-Site addresses don't seem to be added to the configuration generated by the connection between virtual network gateway and local network gateway. So the part with "need to update the routes manually", does this mean updating the vnet integration or the on premise configurations?

    – Crib
    Nov 13 '18 at 8:46













  • Yes, you may need to update your on-premises VPN gateway with the routes for your Point-to-Site IP range. Add an update in my reply, hope this can help others.

    – Nancy Xiong
    Nov 13 '18 at 10:40











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53266221%2fapp-service-not-working-with-on-premises-vpn%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














If the Networking for the App Service is working well it should show as connected and the certificates are in sync. One or more of the possible actions you could try:




  • Avoid picking IP address space that overlaps with other networks.


  • When the Site to Site VPN is first set up then the scripts used to configure it should set up routes including your Point-to-Site VPN. If you add the Point-to-Site VPN after you create your Site to Site VPN, then you need to update the routes manually.


  • If those certificates or network information is changed, then you need to click Sync Network to forcibly sync the certificate to ensure the security of the connection. NOTE: When you click Sync Network then you cause a brief outage in connectivity between your app and your VNet. While your app is not restarted, the loss of connectivity could cause your site to not function properly.



You can get more details from the VNet Integrations.



Update



If your VNet hosted VM can reach your on-premises system but your app can't then the reason is likely one of the following:





  • your routes are not configured with your point to site IP ranges in your on-premises gateway

  • your network security groups are blocking access for your Point-to-Site IP range

  • your on-premises firewalls are blocking traffic from your Point-to-Site IP range

  • you have a User Defined Route(UDR) in your VNet that prevents your Point-to-Site based traffic from reaching your on-premises network







share|improve this answer


























  • Thank you for your reply! Regarding your second point, Point-to-Site addresses don't seem to be added to the configuration generated by the connection between virtual network gateway and local network gateway. So the part with "need to update the routes manually", does this mean updating the vnet integration or the on premise configurations?

    – Crib
    Nov 13 '18 at 8:46













  • Yes, you may need to update your on-premises VPN gateway with the routes for your Point-to-Site IP range. Add an update in my reply, hope this can help others.

    – Nancy Xiong
    Nov 13 '18 at 10:40
















0














If the Networking for the App Service is working well it should show as connected and the certificates are in sync. One or more of the possible actions you could try:




  • Avoid picking IP address space that overlaps with other networks.


  • When the Site to Site VPN is first set up then the scripts used to configure it should set up routes including your Point-to-Site VPN. If you add the Point-to-Site VPN after you create your Site to Site VPN, then you need to update the routes manually.


  • If those certificates or network information is changed, then you need to click Sync Network to forcibly sync the certificate to ensure the security of the connection. NOTE: When you click Sync Network then you cause a brief outage in connectivity between your app and your VNet. While your app is not restarted, the loss of connectivity could cause your site to not function properly.



You can get more details from the VNet Integrations.



Update



If your VNet hosted VM can reach your on-premises system but your app can't then the reason is likely one of the following:





  • your routes are not configured with your point to site IP ranges in your on-premises gateway

  • your network security groups are blocking access for your Point-to-Site IP range

  • your on-premises firewalls are blocking traffic from your Point-to-Site IP range

  • you have a User Defined Route(UDR) in your VNet that prevents your Point-to-Site based traffic from reaching your on-premises network







share|improve this answer


























  • Thank you for your reply! Regarding your second point, Point-to-Site addresses don't seem to be added to the configuration generated by the connection between virtual network gateway and local network gateway. So the part with "need to update the routes manually", does this mean updating the vnet integration or the on premise configurations?

    – Crib
    Nov 13 '18 at 8:46













  • Yes, you may need to update your on-premises VPN gateway with the routes for your Point-to-Site IP range. Add an update in my reply, hope this can help others.

    – Nancy Xiong
    Nov 13 '18 at 10:40














0












0








0







If the Networking for the App Service is working well it should show as connected and the certificates are in sync. One or more of the possible actions you could try:




  • Avoid picking IP address space that overlaps with other networks.


  • When the Site to Site VPN is first set up then the scripts used to configure it should set up routes including your Point-to-Site VPN. If you add the Point-to-Site VPN after you create your Site to Site VPN, then you need to update the routes manually.


  • If those certificates or network information is changed, then you need to click Sync Network to forcibly sync the certificate to ensure the security of the connection. NOTE: When you click Sync Network then you cause a brief outage in connectivity between your app and your VNet. While your app is not restarted, the loss of connectivity could cause your site to not function properly.



You can get more details from the VNet Integrations.



Update



If your VNet hosted VM can reach your on-premises system but your app can't then the reason is likely one of the following:





  • your routes are not configured with your point to site IP ranges in your on-premises gateway

  • your network security groups are blocking access for your Point-to-Site IP range

  • your on-premises firewalls are blocking traffic from your Point-to-Site IP range

  • you have a User Defined Route(UDR) in your VNet that prevents your Point-to-Site based traffic from reaching your on-premises network







share|improve this answer















If the Networking for the App Service is working well it should show as connected and the certificates are in sync. One or more of the possible actions you could try:




  • Avoid picking IP address space that overlaps with other networks.


  • When the Site to Site VPN is first set up then the scripts used to configure it should set up routes including your Point-to-Site VPN. If you add the Point-to-Site VPN after you create your Site to Site VPN, then you need to update the routes manually.


  • If those certificates or network information is changed, then you need to click Sync Network to forcibly sync the certificate to ensure the security of the connection. NOTE: When you click Sync Network then you cause a brief outage in connectivity between your app and your VNet. While your app is not restarted, the loss of connectivity could cause your site to not function properly.



You can get more details from the VNet Integrations.



Update



If your VNet hosted VM can reach your on-premises system but your app can't then the reason is likely one of the following:





  • your routes are not configured with your point to site IP ranges in your on-premises gateway

  • your network security groups are blocking access for your Point-to-Site IP range

  • your on-premises firewalls are blocking traffic from your Point-to-Site IP range

  • you have a User Defined Route(UDR) in your VNet that prevents your Point-to-Site based traffic from reaching your on-premises network








share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 13 '18 at 10:40

























answered Nov 13 '18 at 2:21









Nancy XiongNancy Xiong

2,813118




2,813118













  • Thank you for your reply! Regarding your second point, Point-to-Site addresses don't seem to be added to the configuration generated by the connection between virtual network gateway and local network gateway. So the part with "need to update the routes manually", does this mean updating the vnet integration or the on premise configurations?

    – Crib
    Nov 13 '18 at 8:46













  • Yes, you may need to update your on-premises VPN gateway with the routes for your Point-to-Site IP range. Add an update in my reply, hope this can help others.

    – Nancy Xiong
    Nov 13 '18 at 10:40



















  • Thank you for your reply! Regarding your second point, Point-to-Site addresses don't seem to be added to the configuration generated by the connection between virtual network gateway and local network gateway. So the part with "need to update the routes manually", does this mean updating the vnet integration or the on premise configurations?

    – Crib
    Nov 13 '18 at 8:46













  • Yes, you may need to update your on-premises VPN gateway with the routes for your Point-to-Site IP range. Add an update in my reply, hope this can help others.

    – Nancy Xiong
    Nov 13 '18 at 10:40

















Thank you for your reply! Regarding your second point, Point-to-Site addresses don't seem to be added to the configuration generated by the connection between virtual network gateway and local network gateway. So the part with "need to update the routes manually", does this mean updating the vnet integration or the on premise configurations?

– Crib
Nov 13 '18 at 8:46







Thank you for your reply! Regarding your second point, Point-to-Site addresses don't seem to be added to the configuration generated by the connection between virtual network gateway and local network gateway. So the part with "need to update the routes manually", does this mean updating the vnet integration or the on premise configurations?

– Crib
Nov 13 '18 at 8:46















Yes, you may need to update your on-premises VPN gateway with the routes for your Point-to-Site IP range. Add an update in my reply, hope this can help others.

– Nancy Xiong
Nov 13 '18 at 10:40





Yes, you may need to update your on-premises VPN gateway with the routes for your Point-to-Site IP range. Add an update in my reply, hope this can help others.

– Nancy Xiong
Nov 13 '18 at 10:40


















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53266221%2fapp-service-not-working-with-on-premises-vpn%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Coverage of Google Street View

Image
Coverage of Google Street View From Wikipedia, the free encyclopedia Jump to navigation Jump to search Countries and dependencies with:    mostly full coverage    partial coverage    full or partial coverage planned (official)    full or partial coverage planned (unofficial)    views of selected businesses and/or tourist attractions only    views of private businesses only    no current or planned coverage Google Street View was first introduced in the United States on May 25, 2007, and until November 26, 2008, featured camera icon markers, each representing at least one major city or area (such as a park), and usually the other nearby cities, towns, suburbs, and parks. Many areas that had coverage were represented by icons. Contents 1 Key additions 2 Timeline of introductions 2.1 2007 2.2 2008 2.3 2009 2.4 2010 2.5 2011 2.6 2012 2.7 2013 2.8 2014 2.9 20...
Read more

Full-time equivalent

Image
Full-time equivalent From Wikipedia, the free encyclopedia Jump to navigation Jump to search Full-time equivalent ( FTE ) or whole time equivalent ( WTE ) is a unit that indicates the workload of an employed person (or student) in a way that makes workloads or class loads comparable [1] across various contexts. FTE is often used to measure a worker's or student's involvement in a project, or to track cost reductions in an organization. An FTE of 1.0 is equivalent to a full-time worker or student, while an FTE of 0.5 signals half of a full work or school load. [2] Contents 1 U.S. Federal Government 2 In education 2.1 Example 3 Notes 4 References U.S. Federal Government [ edit ] In the U.S. Federal Government, FTE is defined by the Government Accountability Office (GAO) as the number of total hours worked divided by the maximum number of compensable hours in a full-time schedule as...
Read more

Surfing

Image
Surfing From Wikipedia, the free encyclopedia Jump to navigation Jump to search This article is about stand-up ocean surfing. For other uses, see Surfing (disambiguation). "Surfer" redirects here. For other uses, see Surfer (disambiguation). Surfing A surfer at the Cayucos Pier, Cayucos, California Highest governing body World Surf League (WSL) Characteristics Mixed gender Yes, separate competitions Presence Country or region Worldwide Olympic Will debut in 2020 Surfing on the Gold Coast, Queensland, Australia Surfing is a surface water sport in which the wave rider, referred to as a surfer, rides on the forward or deep face of a moving wave, which usually carries the surfer towards the shore. Waves suitable for surfing are primarily found in the ocean, but can also be found in lakes or rivers in the form of a standing wave or tidal bore. However, surfers can also utilize artifi...
Read more