Azure VPN Active Active Asymetric

Forum|Forum|1 year ago
March 10, 2025
1 reply
1789 views

Hello

i have topology to azure like below pic and found asymmetric routing.

Azure by default will use both tunnel simultaneously but when in the fortigate set traffic to azure only to peer 1 so azure can't communicate with the onprem.

Anyone know how to make FortiGate can accept traffic from both tunnel?

FortiGate

dingjerry_FTNT

Staff

Hi @HS08 ,

I don't understand what your issue/question is.

Do you mean that the traffic goes to Azure via peer1 but returns to FGT via peer2?

HS08Author

Visitor III

yes like that

Toshi_Esumi

SuperUser

That's because Azure advertises the same routes from both sides while your FGT picks one side of BGP routes and put it into RIB. You need to enable ECMP for eBGP (ASNs are different between Azure and the FGT) like below:

config router bgp
set ebgp-multipath enable
end

Then you should have the same route to two neighbors in RIB like below:
B 10.1.x.0/24 [20/0] via 10.y.y.4 (recursive via xxxAzure2 tunnel x.x.x.x), 2d21h21m, [1/0]
[20/0] via 10.y.y.5 (recursive via xxxAzure1 tunnel x.x.x.x), 2d21h21m, [1/0]
We've learned this when we set up similar for our customer's Azure.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded